본문 바로가기

Programming

FS register in x86 Windows

x86 윈도우즈에서는 FS 레지스터를 TIB 등 각종 정보를 가리키기 위한 용도로 사용한다.

Linux 의 경우도 FS, GS 등을 어떤 용도로 유용하게 사용하는 경우가 많은것 같다.


윈도우즈 프로세스에서 FS 레지스터는 아래와같이 사용된다.[출처:위키]

Contents of the TIB

PositionLengthWindows VersionsDescription
FS:[0x00]4Win9x and NTCurrent Structured Exception Handling (SEH) frame
FS:[0x04]4Win9x and NTTop of stack
FS:[0x08]4Win9x and NTCurrent bottom of stack
FS:[0x0C]4Unknown - TIB Subsystem?
FS:[0x10]4NTFiber data
FS:[0x14]4Win9x and NTArbitrary data slot
FS:[0x18]4Win9x and NTLinear address of TIB
---- End of NT subsystem independent part ----
FS:[0x1C]4NTEnvironment Pointer
FS:[0x20]4NTProcess ID
FS:[0x24]4NTCurrent thread ID
FS:[0x28]4NTActive RPC Handle
FS:[0x2C]4Win9x and NTLinear address of the thread-local storage array
FS:[0x30]4NTLinear address of Process Environment Block (PEB)
FS:[0x34]4NTLast error number
FS:[0x38]4NTCount of owned critical sections
FS:[0x3C]4NTAddress of CSR Client Thread
FS:[0x40]4NTWin32 Thread Information
FS:[0x44]124NT, WineWin32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95), 0x74 = LastError (WinME)
FS:[0xC0]4NTReserved for Wow64. Contains a pointer to FastSysCall in Wow64.
FS:[0xC4]4NTCurrent Locale
FS:[0xC8]4NTFP Software Status Register
FS:[0xCC]216NT, WineReserved for OS (NT), kernel32 private data (Wine)
FS:[0x124]4NTPointer to KTHREAD (ETHREAD) structure
FS:[0x1A4]4NTException code
FS:[0x1A8]18NTActivation context stack
FS:[0x1BC]24NT, WineSpare bytes (NT), ntdll private data (Wine)
FS:[0x1D4]40NT, WineReserved for OS (NT), ntdll private data (Wine)
FS:[0x1FC]1248NT, WineGDI TEB Batch (OS), vm86 private data (Wine)
FS:[0x6DC]4NTGDI Region
FS:[0x6E0]4NTGDI Pen
FS:[0x6E4]4NTGDI Brush
FS:[0x6E8]4NTReal Process ID
FS:[0x6EC]4NTReal Thread ID
FS:[0x6F0]4NTGDI cached process handle
FS:[0x6F4]4NTGDI client process ID (PID)
FS:[0x6F8]4NTGDI client thread ID (TID)
FS:[0x6FC]4NTGDI thread locale information
FS:[0x700]20NTReserved for user application
FS:[0x714]1248NTReserved for GL
FS:[0xBF4]4NTLast Status Value
FS:[0xBF8]532NTStatic UNICODE_STRING buffer
FS:[0xE0C]4NTPointer to deallocation stack
FS:[0xE10]256NTTLS slots, 4 byte per slot
FS:[0xF10]8NTTLS links (LIST_ENTRY structure)
FS:[0xF18]4NTVDM
FS:[0xF1C]4NTReserved for RPC
FS:[0xF28]4NTThread error mode (RtlSetThreadErrorMode)

FS maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.


Example in C inlined-assembly for 32-bit x86:

// gcc (AT&T-style inline assembly).
void *getTIB()
{
    void *pTib;
    __asm__("movl %%fs:0x18, %0" : "=r" (pTib) : : );
    return pTib;
}
// Microsoft C
void *getTib()
{
    void *pTib;
    __asm {
        mov EAX, FS:[0x18]
        mov [pTib], EAX
    }
    return pTib;
}
// Using Microsoft's intrinsics instead of inline assembly
void *getTib()
{
    void *pTib = ( void * ) __readfsdword( 0x18 );
    return pTib;
}