Win32 TIB
Introduction to Win32 TIB (Thread Information Block)
Introduction
Win32 TIB (Thread Information Block) is a data struct in wins32 on x86 that stores info about the currently running thread.
If you have a Process Explorer type application, you can use TIB instead of using APIs to get the thread and process information.
The TIB can be used to get a lot of information on the process without calling win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc.
How to access TIB
The TIB can be accessed as an offset of segment register FS.FS is the data selector to TIB for the first thread.
FS maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.
Contents of TIB :
|
Position |
Windows
Ver. |
Description |
|
FS:[0x00] |
Win9x and NT |
Current Structured Exception
Handling (SEH) frame |
|
FS:[0x04] |
Win9x and NT |
|
|
FS:[0x08] |
Win9x and NT |
Current bottom of stack |
|
FS:[0x10] |
NT |
Fiber data |
|
FS:[0x14] |
Win9x and NT |
Arbitrary data slot |
|
FS:[0x18] |
Win9x and NT |
Linear address of TIB |
|
FS:[0x1C] |
NT |
Environment Pointer |
|
FS:[0x20] |
NT |
Process ID |
|
FS:[0x24] |
NT |
Current thread ID |
|
FS:[0x28] |
NT |
Active RPC Handle |
|
FS:[0x2C] |
Win9x and NT |
Linear address of the thread-local storage array |
|
FS:[0x30] |
NT |
Linear address of Process
Environment Block (PEB) |
|
FS:[0x34] |
NT |
Last error number |
|
FS:[0x38] |
NT |
Count of owned critical sections |
|
FS:[0x3C] |
NT |
Address of CSR Client Thread |
|
FS:[0x40] |
NT |
Win32 Thread Information |
|
FS:[0x44] |
NT |
Win32 client information (NT), user32
private data , 0x60 = LastError (Win95), 0x74 = LastError (WinME) |
|
FS:[0xC0] |
NT |
Reserved for Wow32 |
|
FS:[0xC4] |
NT |
Current Locale |
|
FS:[0xC8] |
NT |
FP Software Status Register |
|
FS:[0xCC] |
NT |
Reserved for OS (NT), kernel32 private
data |
|
FS:[0x124] |
NT |
Pointer to KTHREAD (ETHREAD) structure |
|
FS:[0x1A4] |
NT |
Exception code |
|
FS:[0x1A8] |
NT |
Activation context stack |
|
FS:[0x1BC] |
NT |
Spare bytes (NT), ntdll private data |
|
FS:[0x1D4] |
NT |
Reserved for OS (NT), ntdll private data |
|
FS:[0x1FC] |
NT |
GDI TEB Batch (OS), vm86 private data |
|
FS:[0x6DC] |
NT |
GDI Region |
|
FS:[0x6E0] |
NT |
GDI Pen |
|
FS:[0x6E4] |
NT |
GDI Brush |
|
FS:[0x6E8] |
NT |
Real Process ID |
|
FS:[0x6EC] |
NT |
Real Thread ID |
|
FS:[0x6F0] |
NT |
GDI cached process handle |
|
FS:[0x6F4] |
NT |
GDI client process ID (PID) |
|
FS:[0x6F8] |
NT |
GDI client thread ID (TID) |
|
FS:[0x6FC] |
NT |
GDI thread locale information |
|
FS:[0x700] |
NT |
Reserved for user application |
|
FS:[0x714] |
NT |
Reserved for GL |
|
FS:[0xBF4] |
NT |
Last Status Value |
|
FS:[0xBF8] |
NT |
Reserved for advapi32 |
|
FS:[0xE0C] |
NT |
Pointer to deallocation stack |
|
FS:[0xE10] |
NT |
TLS slots, 4 byte per slot |
|
FS:[0xF10] |
NT |
TLS links (LIST_ENTRY structure) |
|
FS:[0xF18] |
NT |
VDM |
|
FS:[0xF1C] |
NT |
Reserved for RPC |
Sample Code
void *pTIB; __asm { mov EAX,FS:[20h] mov [pTIB],EAX } //Now you can see the most recent Process ID in pTIB.
EAX – is a CPU Register (Accumulator
Register).