TIB、TEB 信息

https://en.wikipedia.org/wiki/Win32_Thread_Information_Block

这是重点

Position	Length	Windows Versions	Description
FS:[0x00]	4	Win9x and NT	Current Structured Exception Handling (SEH) frame
FS:[0x04]	4	Win9x and NT	Stack Base / Bottom of stack (high address)
FS:[0x08]	4	Win9x and NT	Stack Limit / Ceiling of stack (low address)
FS:[0x0C]	4	NT	SubSystemTib
FS:[0x10]	4	NT	Fiber data
FS:[0x14]	4	Win9x and NT	Arbitrary data slot
FS:[0x18]	4	Win9x and NT	Linear address of TEB
---- End of NT subsystem independent part ----
FS:[0x1C]	4	NT	Environment Pointer
FS:[0x20]	4	NT	Process ID (in some windows distributions this field is used as 'DebugContext')
FS:[0x24]	4	NT	Current thread ID
FS:[0x28]	4	NT	Active RPC Handle
FS:[0x2C]	4	Win9x and NT	Linear address of the thread-local storage array
FS:[0x30]	4	NT	Linear address of Process Environment Block (PEB)
FS:[0x34]	4	NT	Last error number
FS:[0x38]	4	NT	Count of owned critical sections
FS:[0x3C]	4	NT	Address of CSR Client Thread
FS:[0x40]	4	NT	Win32 Thread Information
FS:[0x44]	124	NT, Wine	Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95), 0x74 = LastError (WinME)
FS:[0xC0]	4	NT	Reserved for Wow64. Contains a pointer to FastSysCall in Wow64.
FS:[0xC4]	4	NT	Current Locale
FS:[0xC8]	4	NT	FP Software Status Register
FS:[0xCC]	216	NT, Wine	Reserved for OS (NT), kernel32 private data (Wine) herein: FS:[0x124] 4 NT Pointer to KTHREAD (ETHREAD) structure
FS:[0x1A4]	4	NT	Exception code
FS:[0x1A8]	18	NT	Activation context stack
FS:[0x1BC]	24	NT, Wine	Spare bytes (NT), ntdll private data (Wine)
FS:[0x1D4]	40	NT, Wine	Reserved for OS (NT), ntdll private data (Wine)
FS:[0x1FC]	1248	NT, Wine	GDI TEB Batch (OS), vm86 private data (Wine)
FS:[0x6DC]	4	NT	GDI Region
FS:[0x6E0]	4	NT	GDI Pen
FS:[0x6E4]	4	NT	GDI Brush
FS:[0x6E8]	4	NT	Real Process ID
FS:[0x6EC]	4	NT	Real Thread ID
FS:[0x6F0]	4	NT	GDI cached process handle
FS:[0x6F4]	4	NT	GDI client process ID (PID)
FS:[0x6F8]	4	NT	GDI client thread ID (TID)
FS:[0x6FC]	4	NT	GDI thread locale information
FS:[0x700]	20	NT	Reserved for user application
FS:[0x714]	1248	NT	Reserved for GL
FS:[0xBF4]	4	NT	Last Status Value
FS:[0xBF8]	532	NT	Static UNICODE_STRING buffer
FS:[0xE0C]	4	NT	Pointer to deallocation stack
FS:[0xE10]	256	NT	TLS slots, 4 byte per slot
FS:[0xF10]	8	NT	TLS links (LIST_ENTRY structure)
FS:[0xF18]	4	NT	VDM
FS:[0xF1C]	4	NT	Reserved for RPC
FS:[0xF28]	4	NT	Thread error mode (RtlSetThreadErrorMode)

转载于:https://www.cnblogs.com/suanguade/p/5827013.html

TIB、TEB 信息相关推荐

FS TIB TEB PEB
本篇发表我的TEB 和 PEB的一些见解,我把它图形化了,更形象便于理解. 首先对于TIB TEB PEB的概念我引用一下别人的blog了,以下内容取自看雪: TEB(Thread Environme ...
Win32 系统线程信息块（TIB）浅析
作者:Matt Pietrek 编译:VCKBASE 原文出处:May 1996 Under The Hood Windows 操作系统各个版本之间虽然核心部分差异很大,但它们都共享一个关键的系统数据 ...
Win32病毒入门 -- ring3篇
Win32病毒入门 -- ring3篇 by pker / CVC.GB 1.声明 ------- 本文仅仅是一篇讲述病毒原理的理论性文章,任何人如果通过本文中讲述的技术或利用本文中的代码写出恶性病 ...
Win32病毒入门--ring3篇
Win32病毒入门--ring3篇声明一篇讲述病毒原理的理论性文章,任何人如果通过本文中讲述的技术或利用本文中的代码写出恶性病毒,造成的任何影响均与作者无关. 前言病毒是什么?病毒就是一个具有一 ...
Win32病毒入门（二）
[pker / CVC.GB] 5.关于FASM ----------- 下面我们用FASM来编写我们的第一个程序.我们可以编写如下代码: format PE GUI 4.0 entry __s ...
反病毒引擎设计全解（二）
1．绪论本论文研究的主要内容正如其题目所示是设计并编写一个先进的反病毒引擎.首先需要对这"先进"二字做一个解释,何为"先进"?众所周知,传统的反病毒软件使用 ...
php滑动teb效果,PEB和TEB资料整合
一.概念 TEB(Thread Environment Block,线程环境块)系统在此TEB中保存频繁使用的线程相关的数据.位于用户地址空间,在比 PEB 所在地址低的地方.进程中的每个线程都有自己 ...
Thread Environment Block（TEB）
TEB简介 TEB(Thread Environment Block,线程环境块)指线程环境块,该结构体包含进程中运行线程的各种信息,进程中的每个线程都对应着一个TEB结构体.不同OS中TEB结构体的 ...
TEB,PEB,LDR结构
首先查看TEB结构 TEB结构中第一个成员为TIB结构,从偏移量可以看出从0x00到0x1C之间的内容均为TIB结构的成员,为了方便理解,我将TIB结构在TEB中展开来查看 ntdll!_TEB+0x ...

TIB、TEB 信息

TIB、TEB 信息相关推荐

最新文章

热门文章