0x30
of the TIB (on Win32?) points to the PEB. NtCurrentTeb() -> ProcessEnvironmentBlock
PEB.BeingDebugged
indicates if a debugger is attached. ebx
register (x64: rbx) register points to the PEB when an exe's entry point is called. peb.c
) as github gist which gets a pointer to the PEB for every architecture that NT was ported to (x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, PowerPC). This source relies on Visual-C compiler intrinsics. - __readfsdword(0x30)
, for x64, it is __readgsqword(0x60)
.