[ros-dev] Undocumented field in PEB?
Jun Koi
junkoi2004 at gmail.com
Fri Mar 6 08:46:56 CET 2009
Hi,
I notice that in Windows Vista - and also Windows XP - there seems to
be an undocumented field in PEB.
>From Windbg, I found some below fields in PEB structure'
...
+0x064 NumberOfProcessors : Uint4B
+0x068 NtGlobalFlag : Uint4B
+0x070 CriticalSectionTimeout : _LARGE_INTEGER
...
We can see that NtGlobalFlag is at offset 0x68, and is 4 bytes field.
So the next field should be at 0x6C. However, CriticalSectionTimeout
is at 0x70.
- So the question is why that happens? I suspect that there is an
undocumented field after NtGlobalFlag, which is removed from the
debugging data. Any idea?
- Another thing: ReactOS now faithfully declares the PEB structure
like above, without that secret 4 bytes hole. As a result, the
ReactOS's PEB size is 4 bytes short than PEB structure in Windows. Do
we need to care about that? Or not?
Thanks,
J
More information about the Ros-dev
mailing list