[ros-dev] Undocumented field in PEB?
Alex Ionescu
ionucu at videotron.ca
Fri Mar 6 09:13:24 CET 2009
There is nothing "undocumented". LARGE_INTEGER is 8 bytes long and
alignment padding is 8 bytes on x86.
On 6-Mar-09, at 2:46 AM, Jun Koi wrote:
> Hi,
>
> I notice that in Windows Vista - and also Windows XP - there seems to
> be an undocumented field in PEB.
>
>> From Windbg, I found some below fields in PEB structure'
>
> ...
> +0x064 NumberOfProcessors : Uint4B
> +0x068 NtGlobalFlag : Uint4B
> +0x070 CriticalSectionTimeout : _LARGE_INTEGER
> ...
>
> We can see that NtGlobalFlag is at offset 0x68, and is 4 bytes field.
> So the next field should be at 0x6C. However, CriticalSectionTimeout
> is at 0x70.
>
> - So the question is why that happens? I suspect that there is an
> undocumented field after NtGlobalFlag, which is removed from the
> debugging data. Any idea?
>
> - Another thing: ReactOS now faithfully declares the PEB structure
> like above, without that secret 4 bytes hole. As a result, the
> ReactOS's PEB size is 4 bytes short than PEB structure in Windows. Do
> we need to care about that? Or not?
>
> Thanks,
> J
> _______________________________________________
> Ros-dev mailing list
> Ros-dev at reactos.org
> http://www.reactos.org/mailman/listinfo/ros-dev
Best regards,
Alex Ionescu
More information about the Ros-dev
mailing list