经常在r3 下调试经常会看到
mov eax,fs:[18h] ;获取TEP 其实就只指向自己fs:[0]
mov eax,[eax+30h] ;获取PEB
这样的语句。
fs段在用户模式(R3)和系统模式(R0)分别指向两个最重要的系统结
构:
Ring3:
fs --> TEB (Thread Environment Block)结
构表 --> 7FFDE000即“线程环境块”。
Ring0:
fs --> KPCR (Kernel Processor Control Region)
结构表 --> FFFDF000 即“内核处理器控制域”。
通常在其r3 下fs被用于获取kernel32.dll的基地址 或者其他有关于程序线程和进程的信息。
以下是一些参考资料
FS:[0x00] Win9x and NT Current SEH frame
FS:[0x04] Win9x and NT Top of stack
FS:[0x08] Win9x and NT Current bottom of stack
FS:[0x10] NT Fiber data
FS:[0x14] Win9x and NT Arbitrary data slot
FS:[0x18] Win9x and NT Linear address of TIB(TEB--- 也叫做线程信息块 TIB)
FS:[0x20] NT Process ID
FS:[0x24] NT Current thread ID
FS:[0x2C] Win9x and NT Linear address of the thread local storage array
FS:[0x30] Pointer to PEB
FS:[0x34] NT Current error number
FS:[0x38] CountOfOwnedCriticalSections
FS:[0x3c] CsrClientThread
FS:[0x40] Win32ThreadInfo
FS:[0x44] Win32ClientInfo[0x1f]
FS:[0xc0] WOW32Reserved
FS:[0xc4] CurrentLocale
FS:[0xc8] FpSoftwareStatusRegister
FS:[0xcc] SystemReserved1[0x36]
FS:[0x1a4] Spare1
FS:[0x1a8] ExceptionCode
FS:[0x1ac] SpareBytes1[0x28]
FS:[0x1d4] SystemReserved2[0xA]
FS:[0x1fc] GDI_TEB_BATCH
FS:[0x6dc] gdiRgn
FS:[0x6e0] gdiPen
FS:[0x6e4] gdiBrush
FS:[0x6e8] CLIENT_ID
FS:[0x6f0] GdiCachedProcessHandle
FS:[0x6f4] GdiClientPID
FS:[0x6f8] GdiClientTID
FS:[0x6fc] GdiThreadLocaleInfo
FS:[0x700] UserReserved[5]
FS:[0x714] glDispatchTable[0x118]
FS:[0xb74] glReserved1[0x1A]
FS:[0xbdc] glReserved2
FS:[0xbe0] glSectionInfo
FS:[0xbe4] glSection
FS:[0xbe8] glTable
FS:[0xbec] glCurrentRC
FS:[0xbf0] glContext
FS:[0xbf4] NTSTATUS
FS:[0xbf8] StaticUnicodeString
FS:[0xc00] StaticUnicodeBuffer[0x105]
FS:[0xe0c] DeallocationStack
FS:[0xe10] TlsSlots[0x40]
FS:[0xf10] TlsLinks
FS:[0xf18] Vdm
FS:[0xf1c] ReservedForNtRpc
FS:[0xf20] DbgSsReserved[0x2]
FS:[0xf28] HardErrorDisabled
FS:[0xf2c] Instrumentation[0x10]
FS:[0xf6c] WinSockData
FS:[0xf70] GdiBatchCount
FS:[0xf74] Spare2
FS:[0xf78] Spare3
FS:[0xf7c] Spare4
FS:[0xf80] ReservedForOle
FS:[0xf84] WaitingOnLoaderLock
FS:[0xf88] StackCommit
FS:[0xf8c] StackCommitMax
FS:[0xf90] StackReserve