PEB
32bit >>> dword ptr fs:[0x30]
64bit >>> qword ptr gs:[0x60]
※ 32bit 기준 구조체
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN Spare;
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PPEBLOCKROUTINE FastPebLockRoutine;
PPEBLOCKROUTINE FastPebUnlockRoutine;
ULONG EnvironmentUpdateCount;
PPVOID KernelCallbackTable;
PVOID EventLogSection;
PVOID EventLog;
PPEB_FREE_BLOCK FreeList;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[0x2];
PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap;
PPVOID ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
BYTE Spare2[0x4];
LARGE_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve;
ULONG HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PPVOID *ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
PVOID GdiDCAttributeList;
PVOID LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
ULONG OSBuildNumber;
ULONG OSPlatformId;
ULONG ImageSubSystem;
ULONG ImageSubSystemMajorVersion;
ULONG ImageSubSystemMinorVersion;
ULONG GdiHandleBuffer[0x22];
ULONG PostProcessInitRoutine;
ULONG TlsExpansionBitmap;
BYTE TlsExpansionBitmapBits[0x80];
ULONG SessionId;
} PEB, *PPEB;
TEB
32bit >>> dword ptr fs:[0x18]
64bit >>> qword ptr gs:[0x30]
※ 32bit 기준 구조체
typedef struct _TEB {
NT_TIB Tib;
PVOID EnvironmentPointer;
CLIENT_ID Cid;
PVOID ActiveRpcInfo;
PVOID ThreadLocalStoragePointer;
PPEB Peb;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG Win32ClientInfo[0x1F];
PVOID WOW32Reserved;
ULONG CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID SystemReserved1[0x36];
PVOID Spare1;
ULONG ExceptionCode;
ULONG SpareBytes1[0x28];
PVOID SystemReserved2[0xA];
ULONG GdiRgn;
ULONG GdiPen;
ULONG GdiBrush;
CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocaleInfo;
PVOID UserReserved[5];
PVOID GlDispatchTable[0x118];
ULONG GlReserved1[0x1A];
PVOID GlReserved2;
PVOID GlSectionInfo;
PVOID GlSection;
PVOID GlTable;
PVOID GlCurrentRC;
PVOID GlContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[0x105];
PVOID DeallocationStack;
PVOID TlsSlots[0x40];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[0x2];
ULONG HardErrorDisabled;
PVOID Instrumentation[0x10];
PVOID WinSockData;
ULONG GdiBatchCount;
ULONG Spare2;
ULONG Spare3;
ULONG Spare4;
PVOID ReservedForOle;
ULONG WaitingOnLoaderLock;
PVOID StackCommit;
PVOID StackCommitMax;
PVOID StackReserved;
} TEB, *PTEB;
Contents of the TIB on Windows
| Bytes/ Type |
offset (32-bit, FS) | offset (64-bit, GS) | WindowsVersions | Description |
| pointer | FS:[0x00] | GS:[0x00] | Win9xandNT | CurrentStructured Exception Handling(SEH) frame Note: the 64-bit version of Windows usesstack unwindingdone inkernel modeinstead. |
| pointer | FS:[0x04] | GS:[0x08] | Win9x and NT | StackBase / Bottom of stack (high address) |
| pointer | FS:[0x08] | GS:[0x10] | Win9x and NT | Stack Limit / Ceiling of stack (low address) |
| pointer | FS:[0x0C] | GS:[0x18] | NT | SubSystemTib |
| pointer | FS:[0x10] | GS:[0x20] | NT | Fiber data |
| pointer | FS:[0x14] | GS:[0x28] | Win9x and NT | Arbitrary data slot |
| pointer | FS:[0x18] | GS:[0x30] | Win9x and NT | Linear address of TEB |
| End ofNT subsystemindependent part; below areWin32-dependent | ||||
| pointer | FS:[0x1C] | GS:[0x38] | NT | Environment Pointer |
| pointer | FS:[0x20] | GS:[0x40] | NT | Process ID (in some Windows distributions this field is used as 'DebugContext') |
| pointer | FS:[0x24] | GS:[0x48] | NT | Current thread ID |
| pointer | FS:[0x28] | GS:[0x50] | NT | Active RPC Handle |
| pointer | FS:[0x2C] | GS:[0x58] | Win9x and NT | Linear address of thethread-local storagearray |
| pointer | FS:[0x30] | GS:[0x60] | NT | Linear address of Process Environment Block(PEB) |
| 4 | FS:[0x34] | GS:[0x68] | NT | Last error number |
| 4 | FS:[0x38] | GS:[0x6C] | NT | Count of owned critical sections |
| pointer | FS:[0x3C] | GS:[0x70] | NT | Address of CSR Client Thread |
| pointer | FS:[0x40] | GS:[0x78] | NT | Win32 Thread Information |
| 124 | FS:[0x44] | GS:[0x80] | NT, Wine | Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95&98), 0x74 = LastError (WinME) |
| pointer | FS:[0xC0] | GS:[0x100] | NT | Reserved for Wow64. Contains a pointer to FastSysCall in Wow64. |
| 4 | FS:[0xC4] | GS:[0x108] | NT | Current Locale |
| 4 | FS:[0xC8] | GS:[0x10C] | NT | FP Software Status Register |
| 216 | FS:[0xCC] | GS:[0x110] | NT, Wine | Reserved for OS (NT), kernel32 private data (Wine) herein: FS:[0x124] 4 NT Pointer to KTHREAD (ETHREAD) structure |
| 4 | FS:[0x1A4] | GS:[0x2C0] | NT | Exception code |
| 18 | FS:[0x1A8] | GS:[0x2C8] | NT | Activation context stack |
| 24 | FS:[0x1BC] | GS:[0x2E8] | NT, Wine | Spare bytes (NT), ntdll private data (Wine) |
| 40 | FS:[0x1D4] | GS:[0x300] | NT, Wine | Reserved for OS (NT), ntdll private data (Wine) |
| 1248 | FS:[0x1FC] | GS:[0x350] | NT, Wine | GDI TEB Batch (OS), vm86 private data (Wine) |
| 4 | FS:[0x6DC] | GS:[0x838] | NT | GDI Region |
| 4 | FS:[0x6E0] | GS:[0x840] | NT | GDI Pen |
| 4 | FS:[0x6E4] | GS:[0x848] | NT | GDI Brush |
| 4 | FS:[0x6E8] | GS:[0x850] | NT | Real Process ID |
| 4 | FS:[0x6EC] | GS:[0x858] | NT | Real Thread ID |
| 4 | FS:[0x6F0] | GS:[0x860] | NT | GDI cached process handle |
| 4 | FS:[0x6F4] | GS:[0x868] | NT | GDI client process ID (PID) |
| 4 | FS:[0x6F8] | GS:[0x86C] | NT | GDI client thread ID (TID) |
| 4 | FS:[0x6FC] | GS:[0x870] | NT | GDI thread locale information |
| 20 | FS:[0x700] | GS:[0x878] | NT | Reserved for user application |
| 1248 | FS:[0x714] | GS:[0x890] | NT | Reserved for GL (See wine ref for internals) |
| 4 | FS:[0xBF4] | GS:[0x1250] | NT | Last Status Value |
| 532 | FS:[0xBF8] | GS:[0x1258] | NT | Static UNICODE_STRING buffer |
| pointer | FS:[0xE0C] | GS:[0x1478] | NT | Also known as DeallocationStack, it establishes the real start address of the stack buffer, hence the real stack limit: it is a few pages less than the stack limit field (which hides the guard pages used to detect stack overflows). |
| pointer[] | FS:[0xE10] | GS:[0x1480] | NT | TLS slots, 4/8 bytes per slot, 64 slots |
| 8 | FS:[0xF10] | GS:[0x1680] | NT | TLS links (LIST_ENTRY structure) |
| 4 | FS:[0xF18] | GS:[0x1690] | NT | VDM |
| 4 | FS:[0xF1C] | GS:[0x1698] | NT | Reserved for RPC |
| 4 | FS:[0xF28] | GS:[0x16B0] | NT | Thread error mode (RtlSetThreadErrorMode) |
| 4 | FS:[0xF78] | GS:[0x1748] | NT | Guaranteed stack bytes |
| This is not the full table; see wine ref for all fields until FS:[0xfb4] / GS:[17c8].Newer Windows versions extend the size of TIB further, up to 0x1000/0x1838 in Windows 10. Some of the fields appended are removed, leading to conflicting definitions. | ||||
출처
http://undocumented.ntinternals.net/
https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
댓글