News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

About Registry FS and GS

Started by RHL, December 13, 2011, 10:07:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

RHL

December 13, 2011, 10:07:19 PM
hi all:)
I wonder if anyone knows information about the FS and GS register
and seen as code comments FS keeps the record pointers
and sensitive data and want to know about it.
Thanks!

redskull

#1
December 14, 2011, 01:57:11 AM
The FS register points to the Thread Information Block (at least on x86 Win32).  The GS registers probably does the same (or something related), but I can't recall what.

-r
Strange women, lying in ponds, distributing swords, is no basis for a system of government

donkey

#2
December 14, 2011, 02:53:47 AM
Quote from: redskull on December 14, 2011, 01:57:11 AM
The FS register points to the Thread Information Block (at least on x86 Win32).  The GS registers probably does the same (or something related), but I can't recall what.

-r

In x86-64 the GS register points to the TEB (TIB)

Here's an article explaining it

http://www.microsoft.com/msj/archive/s2ce.aspx

In x86-32 the GS register is unused and in x86-64 the FS register is unused.
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

jj2007

#3
December 14, 2011, 08:53:10 AM
The TIB is actually a can of worms, documentation-wise - many conflicting definitions on the web, some give wrong offsets, etc.
My little testbed below shows the following:

Code Select
The TIB is at   2147340288
Process ID is   2024
Thread ID is    2392
TLS start is    0
Last error is   111111111
        tib.pvExcept    1310688
        tib.pvStackUserTop      1310720
        tib.pvStackUserBase     1298432
        tib.pvStackLimit        0
        tib.FiberData   7680
        tib.pvArbitrary 0
        tib.ptibSelf    2147340288
        tib.ptWhatever  0
        tib.processID   2024
        tib.threadID    2392
        tib.pvTLSArray  0
        tib.pvPEB       0
        tib.pvUnknown   2147344384
        tib.pvLastError 111111111
        tib.pv3C        0
        tib.pv40        0


include \masm32\MasmBasic\MasmBasic.inc   ; download
NT_TIBMP STRUCT   ; based on Matt Pietrek's version
pvExcept   dd ?   ; 0
pvStackUserTop   dd ?   ; 4
pvStackUserBase   dd ?   ; 8
pvStackLimit   dd ?   ; C
FiberData   dd ?   ; 10 - SubSystemTib
pvArbitrary   dd ?   ; 14
ptibSelf   dd ?   ; 18
ptWhatever   dd ?   ; 20
processID   dd ?   ; 24
threadID   dd ?   ; 28
pvTLSArray   dd ?   ; 2C
pvPEB   dd ?   ; 30 Process Envt Block
pvUnknown   dd ?   ; 34
pvLastError   dd ?   ; 38
pv3C   dd ?   ; 3C
pv40   dd ?   ; 40
NT_TIBMP ENDS

tib equ <[esi.NT_TIBMP]>
   Init
   assume fs:nothing
   mov esi, fs:[18h]
   Print Str$("The TIB is at\t%i\n", esi)
   Print Str$("Process ID is\t%i\n", rv(GetCurrentProcessId))
   Print Str$("Thread ID is\t%i\n", rv(GetCurrentThreadId))
   Print Str$("TLS start is\t%i\n", rv(TlsGetValue, 0))
   invoke SetLastError, 111111111
   Print Str$("Last error is \t%i\n", rv(GetLastError))
   deb 4, " ", tib.pvExcept
   deb 4, " ", tib.pvStackUserTop
   deb 4, " ", tib.pvStackUserBase
   deb 4, " ", tib.pvStackLimit
   deb 4, " ", tib.FiberData
   deb 4, " ", tib.pvArbitrary
   deb 4, " ", tib.ptibSelf
   deb 4, " ", tib.ptWhatever
   deb 4, " ", tib.processID
   deb 4, " ", tib.threadID
   deb 4, " ", tib.pvTLSArray
   deb 4, " ", tib.pvPEB
   deb 4, " ", tib.pvUnknown
   deb 4, " ", tib.pvLastError
   deb 4, " ", tib.pv3C
   deb 4, " ", tib.pv40
   Inkey "ok"
   Exit
end start

RHL

#4
December 15, 2011, 03:23:41 AM
Very Thanks!  :cheekygreen:
Print
Go Up Pages1
User actions