I have read win32 process memory contains this structure:
I have read a lot of documentation and I do not understand:
Thanks
This TEB and PEB are specific to windows x86 32 ? Or is it the same for x86 64 windows OS ?
There's a TEB and PEB for 32-bit and 64-bit programs. e.g. you have a TEB32 and TEB64 structures (you can see them in the kernel symbols). They have the same fields but since x64 fields are larger (e.g. a pointer is 4 bytes on 32-bit but 8 bytes on 64-bit) their sizes differ and the fields offsets are obviously different.
From a kernel debugger:
0: kd> ?? sizeof(_TEB64)
unsigned int64 0x1838
0: kd> dt _TEB64
nt!_TEB64
+0x000 NtTib : _NT_TIB64
+0x038 EnvironmentPointer : Uint8B
+0x040 ClientId : _CLIENT_ID64
+0x050 ActiveRpcHandle : Uint8B
+0x058 ThreadLocalStoragePointer : Uint8B
+0x060 ProcessEnvironmentBlock : Uint8B
+0x068 LastErrorValue : Uint4B
...
0: kd> ?? sizeof(_TEB32)
unsigned int64 0x1000
0: kd> dt _TEB32
nt!_TEB32
+0x000 NtTib : _NT_TIB32
+0x01c EnvironmentPointer : Uint4B
+0x020 ClientId : _CLIENT_ID32
+0x028 ActiveRpcHandle : Uint4B
+0x02c ThreadLocalStoragePointer : Uint4B
+0x030 ProcessEnvironmentBlock : Uint4B
+0x034 LastErrorValue : Uint4B
...
Is there a way to loop all process's threads TEB without calling windows API ?
Nope, TEBs are not linked and the PEB doesn't have a list of the TEBs. At the kernel level this is possible (with EPROCESS and ETHREAD structures), but not at the user-mode level. So, not without calling an API (e.g. NtQueryInformationThread).
What is the equivalent of TEB/PEB for Linux systems ?
There's no direct 1:1 mapping between TEB/PEB and linux structures; the closest you could get is, I guess, task_struct and thread_info (which are more akin to EPROCESS / ETHREAD), but the system architectures are different enough that there's no real counterparts in linux.