1

I found an example that uses the debugger engine API to get at the PEB in a dump. Is this possible using DbgHelp? Have existing code that uses DbgHelp to pull out comment and exception information. Would like to grab some info from PEB if possible.

Chuck Kasabula
  • 2,565
  • 1
  • 15
  • 12
  • Pretty sure the way is to use the Memory64List and MemoryInfoList streams to get at the memory where the PEB is stored, but not sure how to go about it. – Chuck Kasabula Feb 28 '13 at 17:34
  • [This CodeProject](http://www.codeproject.com/Articles/10438/Navigating-the-PEB) may be of some help to you. I should also mention that most of the information in the PEB can be obtained by other, probably safer, means. – Sean Cline Feb 28 '13 at 17:35
  • Thanks. That article is about getting the PEB from a running process. I am interested in getting it from a dump file. – Chuck Kasabula Feb 28 '13 at 18:15

2 Answers2

1

You can use the MiniDumpReadDumpStream function to read streams from the dump file. Just read the dump file into the memory or map it into the memory, and use this function.

To access the PEB. Read the ThreadListStream from the dump file. The MINIDUMP_THREAD_LIST structure will contain an array of MINIDUMP_THREAD strutures, which have a Teb field with the address of the TEB for that thread.

The difference of the TEB and PEB on 32 and 64 bit is that the pointers are 8 bytes on 64 bit.

This means for a 32 bit process the address of PEB can be found at the 0x30 offset of TEB. For a 64 bit process the address of PEB can be found at the 0x60 offset of the TEB.

You will need to roll your own memory reader functions when reading memory from a minidump file.

Calmarius
  • 18,570
  • 18
  • 110
  • 157
0

There's a !peb command in WinDbg, which works for dumps. See also here: http://windbg.info/doc/1-common-cmds.html

mooware
  • 1,722
  • 2
  • 16
  • 25