Last review: Sept 15,2025

Some internal Windows functions need to know the @BASE address. To achieve this, they use the "Process Environment Block" (PEB) structure. This is an internal Windows structure that provides information about a process. The structure is located in the GS segment (Intel processors split memory into multiple segments, at least in real mode) and can be accessed via the following function: __readgsqword(0x60), which returns a pointer to a structure representing the PEB:

    typedef struct _PEB
    {
        // ...
        PVOID ImageBaseAddress;
        // ...
    } PEB, * PPEB;

In this structure, the field ImageBaseAddress should contain the @BASE. Initially, this field holds the base address of our loader and not @BASE. Therefore, a PE loader needs to update this field.

← Previous Next →