Exploring the Process Environment Block (PEB) with WinDbg

The source code for this example can be found here. The assembly is:

mov ebx, fs:[ 0x30 ] ; // get a pointer to the PEB
mov ebx, [ ebx + 0x0C ] ; // get PEB->Ldr

mov ebx, [ ebx + 0x1C ] ;// PEB->Ldr.InInitializationOrderModuleList

mov ebx, [ ebx + 0x08 ] ; // get the entries base address

The commands ran in this video, in order:

> r $teb

> dt _PEB <result from previous command>

> dt _PEB_LDR_DATA <PEB + 0x0C>

> dt _LDR_DATA_TABLE_ENTRY <PEB_LDR_DATA + 0x1C>

> lm ntdll