Sunday, January 30, 2011

Thread Information Block (TIB) and FS Register

Tip - TIB is a structure that stores the information about currently running thread. The ‘winnt.h’ contains a structure called NT_TIB which defines the TIB.

Details - The structure is:

typedef struct _NT_TIB
{
    struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList;
    PVOID StackBase;
    PVOID StackLimit;
    PVOID SubSystemTib;
    union
   {
        PVOID FiberData;
        DWORD Version;
   };
    PVOID ArbitraryUserPointer;
    struct _NT_TIB *Self;
} NT_TIB;

The TIB can be accessed as an offset of segment register FS. FS is the data selector to TIB for the first thread. FS maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.)

The functions such as GetCurrentProcessId(), GetCurrentThreadId(), GetLastError() etc fetches the values from TIB. For example, the code inside the function GetCurrentProcessId() may look like…
DWORD GetCurrentProcessId()
{
    DWORD dwProcessID = 0;
    __asm
    {
        mov eax, fs:[0x20]
        mov dwProcessID, eax
    }   
    return dwProcessID;
}

Contents of TIB (Please check the reference link for the complete details):
Position
Length
Windows Versions
Description
FS:[0x00]
4
Win9x and NT
Current Structured Exception Handling (SEH) frame
FS:[0x04]
4
Win9x and NT
Top of stack
FS:[0x08]
4
Win9x and NT
Current bottom of stack
FS:[0x10]
4
NT
Fiber data
FS:[0x14]
4
Win9x and NT
Arbitrary data slot
FS:[0x18]
4
Win9x and NT
Linear address of TIB
-
-
NT
End of NT subsystem independent part
FS:[0x20]
4
NT
Process ID
FS:[0x24]
4
NT
Current thread ID
FS:[0x2C]
4
Win9x and NT
Linear address of the thread-local storage array
FS:[0x30]
4
NT
Linear address of Process Environment Block (PEB)
FS:[0x34]
4
NT
Last error number
FS:[0x38]
4
NT
Last status number
FS:[0x3C]
4
NT
Count owned locks
FS:[0x40]
4
NT
Hard errors mode
FS:[0x60]
4
Win95/Win98
Last error number
FS:[0x74]
4
WinME
Last error number


Reference   -
http://en.wikipedia.org/wiki/Win32_Thread_Information_Block
http://www.nirsoft.net/kernel_struct/vista/NT_TIB.html

Posted By :Jijo Krishnan
Posted by NASU NeSTians at 3:03 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)