PEB analysis is the most popular among all methods of determining the base load address. As you recall, PEB is an auxiliary data structure that, along with other useful information, contains base addresses of all loaded modules.
This popularity is undeserved and cannot be explained. After all, PEB is the internals of the Windows NT-like operating systems, for which neither documentation nor include files are available. Only Microsoft Kernel Debugger detects odds and ends of some information. This lack of documentation makes hackers prick up their ears. Because PEB is undocumented, its structure can change in any future Windows version. This change has taken place multiple times. If this happens again, then the example shown in Listing 11.8 will cease to operate (by the way, it works only under the Windows NT line and doesn't work under Windows 9 x ).
00000000: 33C0 XOR EAX, EAX ; EAX := 0 00000002: B030 MOV AL, 030 ; EAX := 30h 00000004: 648B00 MOV EAX, fs:[EAX] ; PEB base 00000007: 8B400C MOV EAX, [EAX][0000C] ; PEB_LDR_DATA 0000000A: 8B401C MOV EAX, [EAX][0001C] ; First element of ; InInitOrderModuleList 0000000D: AD LODSD ; Next element 0000000E: 8B4008 MOV EAX, [EAX][00008] ; Next address kernel32.dll
So decide if you really need PEB. The only advantage is that it provides extremely compact code.