Win32 Thread Information Block
From Wikipedia, the free encyclopedia
In computing, the Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores info about the currently running thread.
The TIB is officially undocumented for Windows 9x. The Windows NT series DDK includes a struct NT_TIB in winnt.h that documents the subsystem independent part. Wine includes declarations for the extended (subsystem-specific part of) TIB. Yet so many Win32 programs use undocumented fields so it is effectively a part of the API.
The TIB can be used to get a lot of information on the process without calling win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc.
[edit] Contents of the TIB
| Position | Length | Windows Versions | Description |
|---|---|---|---|
| FS:[0x00] | 4 | Win9x and NT | Current Structured Exception Handling (SEH) frame |
| FS:[0x04] | 4 | Win9x and NT | Top of stack |
| FS:[0x08] | 4 | Win9x and NT | Current bottom of stack |
| FS:[0x10] | 4 | NT | Fiber data |
| FS:[0x14] | 4 | Win9x and NT | Arbitrary data slot |
| FS:[0x18] | 4 | Win9x and NT | Linear address of TIB |
| - | - | NT | End of NT subsystem independent part |
| FS:[0x1C] | 4 | NT | Environment Pointer |
| FS:[0x20] | 4 | NT | Process ID |
| FS:[0x24] | 4 | NT | Current thread ID |
| FS:[0x28] | 4 | NT | Active RPC Handle |
| FS:[0x2C] | 4 | Win9x and NT | Linear address of the thread-local storage array |
| FS:[0x30] | 4 | NT | Linear address of Process Environment Block (PEB) |
| FS:[0x34] | 4 | NT | Last error number |
| FS:[0x38] | 4 | NT | Count of owned critical sections |
| FS:[0x3C] | 4 | NT | Address of CSR Client Thread |
| FS:[0x40] | 4 | NT | Win32 Thread Information |
| FS:[0x44] | 124 | NT,Wine | Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95), 0x74 = LastError (WinME) |
| FS:[0xC0] | 4 | NT | Reserved for Wow32 |
| FS:[0xC4] | 4 | NT | Current Locale |
| FS:[0xC8] | 4 | NT | FP Software Status Register |
| FS:[0xCC] | 216 | NT,Wine | Reserved for OS (NT), kernel32 private data (Wine) |
| FS:[0x1A4] | 4 | NT | Exception code |
| FS:[0x1A8] | 18 | NT | Activation context stack |
| FS:[0x1BC] | 24 | NT,Wine | Spare bytes (NT), ntdll private data (Wine) |
| FS:[0x1D4] | 40 | NT,Wine | Reserved for OS (NT), ntdll private data (Wine) |
| FS:[0x1FC] | 1248 | NT,Wine | GDI TEB Batch (OS), vm86 private data (Wine) |
| FS:[0x6DC] | 4 | NT | GDI Region |
| FS:[0x6E0] | 4 | NT | GDI Pen |
| FS:[0x6E4] | 4 | NT | GDI Brush |
| FS:[0x6E8] | 4 | NT | Real Process ID |
| FS:[0x6EC] | 4 | NT | Real Thread ID |
| FS:[0x6F0] | 4 | NT | GDI cached process handle |
| FS:[0x6F4] | 4 | NT | GDI client process ID (PID) |
| FS:[0x6F8] | 4 | NT | GDI client thread ID (TID) |
| FS:[0x6FC] | 4 | NT | GDI thread locale information |
| FS:[0x700] | 20 | NT | Reserved for user application |
| FS:[0x714] | 1248 | NT | Reserved for GL |
| FS:[0xBF4] | 4 | NT | Last Status Value |
| FS:[0xBF8] | 214 | NT | Reserved for advapi32 |
| FS:[0xE0C] | 4 | NT | Pointer to deallocation stack |
| FS:[0xE10] | 256 | NT | TLS slots, 4 byte per slot |
| FS:[0xF10] | 8 | NT | TLS links (LIST_ENTRY structure) |
| FS:[0xF18] | 4 | NT | VDM |
| FS:[0xF1C] | 4 | NT | Reserved for RPC |
[edit] Accessing the TIB
The TIB can be accessed as an offset of segment register FS.
It is common to not access TIB fields by offset from FS:[0], but rather first getting a the linear self-referencing pointer to the stored at FS:[0x18]. That pointer is used in means of pointer arithmetics or cast to a struct pointer.
Example in C inlined-assembly for 32-bit x86:
// gcc (AT&T-style inline assembly). void *getTIB() { void *pTib; __asm__("movl %%fs:0x18, %0" : "=r" (pTib) : : ); return pTib; }
// Microsoft C void *getTib() { void *pTib; __asm { mov EAX, FS:[18h] mov [pTib], EAX } return pTib; }
[edit] External links
 |
This Microsoft Windows article is a stub. You can help by expanding it. |
