TIB、TEB 信息
https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
这是重点
| Position | Length | Windows Versions | Description |
|---|---|---|---|
| FS:[0x00] | 4 | Win9x and NT | Current Structured Exception Handling (SEH) frame |
| FS:[0x04] | 4 | Win9x and NT | Stack Base / Bottom of stack (high address) |
| FS:[0x08] | 4 | Win9x and NT | Stack Limit / Ceiling of stack (low address) |
| FS:[0x0C] | 4 | NT | SubSystemTib |
| FS:[0x10] | 4 | NT | Fiber data |
| FS:[0x14] | 4 | Win9x and NT | Arbitrary data slot |
| FS:[0x18] | 4 | Win9x and NT | Linear address of TEB |
| ---- End of NT subsystem independent part ---- | |||
| FS:[0x1C] | 4 | NT | Environment Pointer |
| FS:[0x20] | 4 | NT | Process ID (in some windows distributions this field is used as 'DebugContext') |
| FS:[0x24] | 4 | NT | Current thread ID |
| FS:[0x28] | 4 | NT | Active RPC Handle |
| FS:[0x2C] | 4 | Win9x and NT | Linear address of the thread-local storage array |
| FS:[0x30] | 4 | NT | Linear address of Process Environment Block (PEB) |
| FS:[0x34] | 4 | NT | Last error number |
| FS:[0x38] | 4 | NT | Count of owned critical sections |
| FS:[0x3C] | 4 | NT | Address of CSR Client Thread |
| FS:[0x40] | 4 | NT | Win32 Thread Information |
| FS:[0x44] | 124 | NT, Wine | Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95), 0x74 = LastError (WinME) |
| FS:[0xC0] | 4 | NT | Reserved for Wow64. Contains a pointer to FastSysCall in Wow64. |
| FS:[0xC4] | 4 | NT | Current Locale |
| FS:[0xC8] | 4 | NT | FP Software Status Register |
| FS:[0xCC] | 216 | NT, Wine |
Reserved for OS (NT), kernel32 private data (Wine)
herein: FS:[0x124] 4 NT Pointer to KTHREAD (ETHREAD) structure |
| FS:[0x1A4] | 4 | NT | Exception code |
| FS:[0x1A8] | 18 | NT | Activation context stack |
| FS:[0x1BC] | 24 | NT, Wine | Spare bytes (NT), ntdll private data (Wine) |
| FS:[0x1D4] | 40 | NT, Wine | Reserved for OS (NT), ntdll private data (Wine) |
| FS:[0x1FC] | 1248 | NT, Wine | GDI TEB Batch (OS), vm86 private data (Wine) |
| FS:[0x6DC] | 4 | NT | GDI Region |
| FS:[0x6E0] | 4 | NT | GDI Pen |
| FS:[0x6E4] | 4 | NT | GDI Brush |
| FS:[0x6E8] | 4 | NT | Real Process ID |
| FS:[0x6EC] | 4 | NT | Real Thread ID |
| FS:[0x6F0] | 4 | NT | GDI cached process handle |
| FS:[0x6F4] | 4 | NT | GDI client process ID (PID) |
| FS:[0x6F8] | 4 | NT | GDI client thread ID (TID) |
| FS:[0x6FC] | 4 | NT | GDI thread locale information |
| FS:[0x700] | 20 | NT | Reserved for user application |
| FS:[0x714] | 1248 | NT | Reserved for GL |
| FS:[0xBF4] | 4 | NT | Last Status Value |
| FS:[0xBF8] | 532 | NT | Static UNICODE_STRING buffer |
| FS:[0xE0C] | 4 | NT | Pointer to deallocation stack |
| FS:[0xE10] | 256 | NT | TLS slots, 4 byte per slot |
| FS:[0xF10] | 8 | NT | TLS links (LIST_ENTRY structure) |
| FS:[0xF18] | 4 | NT | VDM |
| FS:[0xF1C] | 4 | NT | Reserved for RPC |
| FS:[0xF28] | 4 | NT | Thread error mode (RtlSetThreadErrorMode) |
转载于:https://www.cnblogs.com/suanguade/p/5827013.html
TIB、TEB 信息相关推荐
- FS TIB TEB PEB
本篇发表我的TEB 和 PEB的一些见解,我把它图形化了,更形象便于理解. 首先对于TIB TEB PEB的概念我引用一下别人的blog了,以下内容取自看雪: TEB(Thread Environme ...
- Win32 系统线程信息块(TIB)浅析
作者:Matt Pietrek 编译:VCKBASE 原文出处:May 1996 Under The Hood Windows 操作系统各个版本之间虽然核心部分差异很大,但它们都共享一个关键的系统数据 ...
- Win32病毒入门 -- ring3篇
Win32病毒入门 -- ring3篇 by pker / CVC.GB 1.声明 ------- 本文仅仅是一篇讲述病毒原理的理论性文章,任何人如果通过本文中讲述的技术或利用本文 中的代码写出恶性病 ...
- Win32病毒入门--ring3篇
Win32病毒入门--ring3篇 声明 一篇讲述病毒原理的理论性文章,任何人如果通过本文中讲述的技术或利用本文中的代码写出恶性病毒,造成的任何影响均与作者无关. 前言 病毒是什么?病毒就是一个具有一 ...
- Win32病毒入门(二)
[pker / CVC.GB] 5.关于FASM ----------- 下面我们用FASM来编写我们的第一个程序.我们可以编写如下代码: format PE GUI 4.0 entry __s ...
- 反病毒引擎设计全解(二)
1.绪 论 本论文研究的主要内容正如其题目所示是设计并编写一个先进的反病毒引擎.首先需要对这"先进"二字做一个解释,何为"先进"?众所周知,传统的反病毒软件使用 ...
- php滑动teb效果,PEB和TEB资料整合
一.概念 TEB(Thread Environment Block,线程环境块)系统在此TEB中保存频繁使用的线程相关的数据.位于用户地址空间,在比 PEB 所在地址低的地方.进程中的每个线程都有自己 ...
- Thread Environment Block(TEB)
TEB简介 TEB(Thread Environment Block,线程环境块)指线程环境块,该结构体包含进程中运行线程的各种信息,进程中的每个线程都对应着一个TEB结构体.不同OS中TEB结构体的 ...
- TEB,PEB,LDR结构
首先查看TEB结构 TEB结构中第一个成员为TIB结构,从偏移量可以看出从0x00到0x1C之间的内容均为TIB结构的成员,为了方便理解,我将TIB结构在TEB中展开来查看 ntdll!_TEB+0x ...
最新文章
- Elasticsearch 安装和使用
- Selenium2(WebDriver)总结(五)---元素操作进阶(常用类)
- Saltstack数据系统Grains和Pillar(三)
- step-by-step多文件WEB批量上传(swfupload)的完美解决方案
- App移动端性能工具调研
- linux源码文件名,Linux中文件名解析处理源码分析
- 过滤器-filter
- 【浙江大学PAT真题练习乙级】1006 换个格式输出整数 (15分) 真题解析
- python3的文件编码问题
- python抓取直播源 并更新_虎牙直播源Python爬虫
- 最新的省市区三级地区MySQL数据库,附带获取方法
- detach的简易用法
- 微信oauth2的认证
- Android自定义view实现日历控件
- css3绝对定位垂直居中,CSS3绝对定位自适应居中 - 米扑博客
- android studio增加一个界面,Android Studio在同一个窗口中打开多个Project【附效果图附源码...
- Värde任命新合伙人和高级董事总经理
- 多模态的研究现状与应用场景的调查研究
- 【附源码】计算机毕业设计java校园疫情防控系统设计与实现
- SpringBoot 基于 OAuth2 统一身份认证流程详解