Hi,
I notice that in Windows Vista - and also Windows XP - there seems to be an undocumented field in PEB.
From Windbg, I found some below fields in PEB structure'
... +0x064 NumberOfProcessors : Uint4B +0x068 NtGlobalFlag : Uint4B +0x070 CriticalSectionTimeout : _LARGE_INTEGER ...
We can see that NtGlobalFlag is at offset 0x68, and is 4 bytes field. So the next field should be at 0x6C. However, CriticalSectionTimeout is at 0x70.
- So the question is why that happens? I suspect that there is an undocumented field after NtGlobalFlag, which is removed from the debugging data. Any idea?
- Another thing: ReactOS now faithfully declares the PEB structure like above, without that secret 4 bytes hole. As a result, the ReactOS's PEB size is 4 bytes short than PEB structure in Windows. Do we need to care about that? Or not?
Thanks, J