x86 윈도우즈에서는 FS 레지스터를 TIB 등 각종 정보를 가리키기 위한 용도로 사용한다.
Linux 의 경우도 FS, GS 등을 어떤 용도로 유용하게 사용하는 경우가 많은것 같다.
윈도우즈 프로세스에서 FS 레지스터는 아래와같이 사용된다.[출처:위키]
Contents of the TIB
| Position | Length | Windows Versions | Description |
|---|---|---|---|
| FS:[0x00] | 4 | Win9x and NT | Current Structured Exception Handling (SEH) frame |
| FS:[0x04] | 4 | Win9x and NT | Top of stack |
| FS:[0x08] | 4 | Win9x and NT | Current bottom of stack |
| FS:[0x0C] | 4 | Unknown - TIB Subsystem? | |
| FS:[0x10] | 4 | NT | Fiber data |
| FS:[0x14] | 4 | Win9x and NT | Arbitrary data slot |
| FS:[0x18] | 4 | Win9x and NT | Linear address of TIB |
| ---- End of NT subsystem independent part ---- | |||
| FS:[0x1C] | 4 | NT | Environment Pointer |
| FS:[0x20] | 4 | NT | Process ID |
| FS:[0x24] | 4 | NT | Current thread ID |
| FS:[0x28] | 4 | NT | Active RPC Handle |
| FS:[0x2C] | 4 | Win9x and NT | Linear address of the thread-local storage array |
| FS:[0x30] | 4 | NT | Linear address of Process Environment Block (PEB) |
| FS:[0x34] | 4 | NT | Last error number |
| FS:[0x38] | 4 | NT | Count of owned critical sections |
| FS:[0x3C] | 4 | NT | Address of CSR Client Thread |
| FS:[0x40] | 4 | NT | Win32 Thread Information |
| FS:[0x44] | 124 | NT, Wine | Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95), 0x74 = LastError (WinME) |
| FS:[0xC0] | 4 | NT | Reserved for Wow64. Contains a pointer to FastSysCall in Wow64. |
| FS:[0xC4] | 4 | NT | Current Locale |
| FS:[0xC8] | 4 | NT | FP Software Status Register |
| FS:[0xCC] | 216 | NT, Wine | Reserved for OS (NT), kernel32 private data (Wine) |
| FS:[0x124] | 4 | NT | Pointer to KTHREAD (ETHREAD) structure |
| FS:[0x1A4] | 4 | NT | Exception code |
| FS:[0x1A8] | 18 | NT | Activation context stack |
| FS:[0x1BC] | 24 | NT, Wine | Spare bytes (NT), ntdll private data (Wine) |
| FS:[0x1D4] | 40 | NT, Wine | Reserved for OS (NT), ntdll private data (Wine) |
| FS:[0x1FC] | 1248 | NT, Wine | GDI TEB Batch (OS), vm86 private data (Wine) |
| FS:[0x6DC] | 4 | NT | GDI Region |
| FS:[0x6E0] | 4 | NT | GDI Pen |
| FS:[0x6E4] | 4 | NT | GDI Brush |
| FS:[0x6E8] | 4 | NT | Real Process ID |
| FS:[0x6EC] | 4 | NT | Real Thread ID |
| FS:[0x6F0] | 4 | NT | GDI cached process handle |
| FS:[0x6F4] | 4 | NT | GDI client process ID (PID) |
| FS:[0x6F8] | 4 | NT | GDI client thread ID (TID) |
| FS:[0x6FC] | 4 | NT | GDI thread locale information |
| FS:[0x700] | 20 | NT | Reserved for user application |
| FS:[0x714] | 1248 | NT | Reserved for GL |
| FS:[0xBF4] | 4 | NT | Last Status Value |
| FS:[0xBF8] | 532 | NT | Static UNICODE_STRING buffer |
| FS:[0xE0C] | 4 | NT | Pointer to deallocation stack |
| FS:[0xE10] | 256 | NT | TLS slots, 4 byte per slot |
| FS:[0xF10] | 8 | NT | TLS links (LIST_ENTRY structure) |
| FS:[0xF18] | 4 | NT | VDM |
| FS:[0xF1C] | 4 | NT | Reserved for RPC |
| FS:[0xF28] | 4 | NT | Thread error mode (RtlSetThreadErrorMode) |
FS maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.
Example in C inlined-assembly for 32-bit x86:
// gcc (AT&T-style inline assembly). void *getTIB() { void *pTib; __asm__("movl %%fs:0x18, %0" : "=r" (pTib) : : ); return pTib; }
// Microsoft C void *getTib() { void *pTib; __asm { mov EAX, FS:[0x18] mov [pTib], EAX } return pTib; }
// Using Microsoft's intrinsics instead of inline assembly void *getTib() { void *pTib = ( void * ) __readfsdword( 0x18 ); return pTib; }
'Programming' 카테고리의 다른 글
| zlib compress/decompress (0) | 2015.08.01 |
|---|---|
| Linux 에서 실행파일 인식을 못할때 (0) | 2015.07.28 |
| ssh reverse tunneling for reverse RDP connection (0) | 2015.02.23 |
| How to use Linux kptr_restrict (1) | 2015.01.08 |
| Difference between context switch and mode switch in Linux (2) | 2014.12.19 |