Yarden Shafir
FYI if you’re willing to link with ntdll or dynamically resolve it there’s a ton of APIs that return TEB/PEB or leave them in one of the registers. (Don’t believe official return values. MSDN is a liar!)
vx-underground
Daax, being the traditional memesteroni he is, shared a cool proof-of-concept which demonstrates how to get a pointer to the Process Environment Block without using the GS and/or FS register. Look at the full thread. It's interesting.
