PEB & TEB In-Memory Analysis
An interactive simulation of how malware uses process internals for stealthy execution.
Physical RAM / Disk
Windows Kernel
Windows Loader
malware.exe
Shared System DLLs
ntdll.dll
kernel32.dll
Process Creation Phases
1. EPROCESS/Security
2. Thread/Addr Space
3. User Structs
4. Subsystem/Stack
5. Handoff
EPROCESS
PID1234
TokenSecurity
VAD RootMemory
ETHREAD
TID5678
StateReady
Priority8
SECURITY
CHECK
β PASSED
Virtual Memory Layout
...
...
...
...
Handle Table
Handle 0x04: Process
Handle 0x08: Thread
Handle 0x0C: Token
Process Virtual Memory Space
CPU
(System-wide Resource)
GS Register β TEB
Image Base: malware.exe
PEB
BeingDebugged0
NtGlobalFlag0x0
Ldr0x0...
Primary Thread's TEB
Tib (NT_TIB){...}
ProcessEnvBlock0x0...
Malware's Target Hashes
CreateProcessA β 0x1A2B3C4D
_PEB_LDR_DATA
Length0x30
InitializedTRUE
InLoadOrderModuleList0x77F8...
InMemoryOrderModuleList0x77F8...
InInitializationOrderModuleList0x77F8...
InLoadOrderModuleList
ntdll.dll
kernel32.dll
user32.dll
kernel32.dll Export Directory
AddressOfNames
CreateProcessA
VirtualAlloc
WriteProcessMemory
NameOrdinals
0
1
2
AddrOfFunctions
0x75B9B2A0
0x75B91140
0x75B9BE90
Other Thread TEB
Other Thread TEB
Simulation Control
OffOn