Win32 Thread Information Block

战神伽罗

发布于 2019-07-24 17:34:26

1.2K0

发布于 2019-07-24 17:34:26

In computing, the Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores information about the currently running thread. This structure is also known as the Thread Environment Block (TEB).[1]

The TIB is officially undocumented for Windows 9x. The Windows NT series DDK includes a struct NT_TIB in winnt.h that documents the subsystem independent part. Wine includes declarations for the extended (subsystem-specific part of) TIB.[citation needed] Yet so many Win32 programs use these undocumented fields that they are effectively a part of the API. The first field, in particular, is directly referenced by the code produced by Microsoft's own compiler.[1]

The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register when operating on 32 bits, and from GS in 64 bits.

Contents of the TIB on Windows

Bytes/ Type	offset (32 bits, FS)	offset (64 bits, GS)	Windows Versions	Description
pointer	FS:[0x00]	GS:[0x00]	Win9x and NT	Current Structured Exception Handling (SEH) frame
pointer	FS:[0x04]	GS:[0x08]	Win9x and NT	Stack Base / Bottom of stack (high address)
pointer	FS:[0x08]	GS:[0x10]	Win9x and NT	Stack Limit / Ceiling of stack (low address)
pointer	FS:[0x0C]	GS:[0x18]	NT	SubSystemTib
pointer	FS:[0x10]	GS:[0x20]	NT	Fiber data
pointer	FS:[0x14]	GS:[0x28]	Win9x and NT	Arbitrary data slot
pointer	FS:[0x18]	GS:[0x30]	Win9x and NT	Linear address of TEB
---- End of NT subsystem independent part ----
pointer	FS:[0x1C]	GS:[0x38]	NT	Environment Pointer
pointer	FS:[0x20]	GS:[0x40]	NT	Process ID (in some windows distributions this field is used as 'DebugContext')
4	FS:[0x24]	GS:[0x48]	NT	Current thread ID
4	FS:[0x28]		NT	Active RPC Handle
4	FS:[0x2C]		Win9x and NT	Linear address of the thread-local storage array
4	FS:[0x30]	GS:[0x60]	NT	Linear address of Process Environment Block (PEB)
4	FS:[0x34]	GS:[0x68]	NT	Last error number
4	FS:[0x38]		NT	Count of owned critical sections
4	FS:[0x3C]		NT	Address of CSR Client Thread
4	FS:[0x40]		NT	Win32 Thread Information
124	FS:[0x44]		NT, Wine	Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95), 0x74 = LastError (WinME)
4	FS:[0xC0]		NT	Reserved for Wow64. Contains a pointer to FastSysCall in Wow64.
4	FS:[0xC4]		NT	Current Locale
4	FS:[0xC8]		NT	FP Software Status Register
216	FS:[0xCC]		NT, Wine	Reserved for OS (NT), kernel32 private data (Wine) herein: FS:[0x124] 4 NT Pointer to KTHREAD (ETHREAD) structure
4	FS:[0x1A4]		NT	Exception code
18	FS:[0x1A8]		NT	Activation context stack
24	FS:[0x1BC]		NT, Wine	Spare bytes (NT), ntdll private data (Wine)
40	FS:[0x1D4]		NT, Wine	Reserved for OS (NT), ntdll private data (Wine)
1248	FS:[0x1FC]		NT, Wine	GDI TEB Batch (OS), vm86 private data (Wine)
4	FS:[0x6DC]		NT	GDI Region
4	FS:[0x6E0]		NT	GDI Pen
4	FS:[0x6E4]		NT	GDI Brush
4	FS:[0x6E8]		NT	Real Process ID
4	FS:[0x6EC]		NT	Real Thread ID
4	FS:[0x6F0]		NT	GDI cached process handle
4	FS:[0x6F4]		NT	GDI client process ID (PID)
4	FS:[0x6F8]		NT	GDI client thread ID (TID)
4	FS:[0x6FC]		NT	GDI thread locale information
20	FS:[0x700]		NT	Reserved for user application
1248	FS:[0x714]		NT	Reserved for GL
4	FS:[0xBF4]	GS:[0x1250]	NT	Last Status Value
532	FS:[0xBF8]	GS:[0x1258]	NT	Static UNICODE_STRING buffer
pointer	FS:[0xE0C]	GS:[0x1478]	NT	Address of memory allocated for stack
pointer[]	FS:[0xE10]	GS:[0x1480]	NT	TLS slots, 4/8 bytes per slot, 64 slots
8	FS:[0xF10]	GS:[0x1680]	NT	TLS links (LIST_ENTRY structure)
4	FS:[0xF18]		NT	VDM
4	FS:[0xF1C]		NT	Reserved for RPC
4	FS:[0xF28]		NT	Thread error mode (RtlSetThreadErrorMode)

FS maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.

Note: The above description ONLY refers to 32-bit Windows on x86. On x86-64 (64-bit) Windows, GS (and not FS) is used as the segment register that points to the TIB. Additionally some of the variable slots in the structure above have a different size (typically 8 instead of 4 bytes for pointer-sized data slots).

Accessing the TIB

The TIB of the current thread can be accessed as an offset of segment register FS (x86) or GS (x64).

It is not common to access the TIB fields by an offset from FS:[0], but rather first getting a linear self-referencing pointer to it stored at FS:[0x18]. That pointer can be used with pointer arithmetics or be cast to a struct pointer.

Example in C inlined-assembly for 32-bit x86:

// gcc (AT&T-style inline assembly).
void *getTIB() {
    void *pTIB;
    __asm__("movl %%fs:0x18, %0" : "=r" (pTIB) : : );
    return pTIB;
}

// Microsoft C
__declspec(naked)
void *getTIB() {
    __asm mov EAX, FS:[18h]
}

// Using Microsoft's intrinsics instead of inline assembly (works for both X86 and X64 architectures)
void *getTIB() {
#ifdef _M_IX86
    return (void *)__readfsdword(0x18);
#elif _M_AMD64
    return (void *)__readgsqword(0x30);
#endif
}