[ros-dev] Undocumented field in PEB?

Fri Mar 6 09:48:07 CET 2009

On Fri, Mar 6, 2009 at 5:13 PM, Alex Ionescu <ionucu at videotron.ca> wrote:
> There is nothing "undocumented". LARGE_INTEGER is 8 bytes long and
> alignment padding is 8 bytes on x86.

I still dont understand your idea. This has nothing to do with how
large LARGE_INTERGER is, AFAICT.

Lets see again: NtGlobalFlag is 4 bytes, and it starts at 0x68. So the
next field should start at 0x68 + 4 = 0x6C.

But in fact the next field  (CriticalSectionTimeout) starts at 0x70.
No matter how big it is, we  actually dont care - because it is the
next field.

The question is: what is in the hole 0x68 -> 0x70 ? (that is 4 bytes)

Thanks,
J

>
> On 6-Mar-09, at 2:46 AM, Jun Koi wrote:
>
>> Hi,
>>
>> I notice that in Windows Vista - and also Windows XP - there seems to
>> be an undocumented field in PEB.
>>
>>> From Windbg, I found some below fields in PEB structure'
>>
>> ...
>> +0x064 NumberOfProcessors : Uint4B
>> +0x068 NtGlobalFlag     : Uint4B
>> +0x070 CriticalSectionTimeout : _LARGE_INTEGER
>> ...
>>
>> We can see that NtGlobalFlag is at offset 0x68, and is 4 bytes field.
>> So the next field should be at 0x6C. However, CriticalSectionTimeout
>> is at 0x70.
>>
>> - So the question is why that happens? I suspect that there is an
>> undocumented field after NtGlobalFlag, which is removed from the
>> debugging data. Any idea?
>>
>> - Another thing: ReactOS now faithfully declares the PEB structure
>> like above, without that secret 4 bytes hole. As a result, the
>> ReactOS's PEB size is 4 bytes short than PEB structure in Windows. Do
>> we need to care about that? Or not?
>>
>> Thanks,
>> J
>> _______________________________________________
>> Ros-dev mailing list
>> Ros-dev at reactos.org
>> http://www.reactos.org/mailman/listinfo/ros-dev
>
> Best regards,
> Alex Ionescu
>
> _______________________________________________
> Ros-dev mailing list
> Ros-dev at reactos.org
> http://www.reactos.org/mailman/listinfo/ros-dev
>