Win32 Thread Information Block
 | This article needs to be updated. (December 2013) |
In computing, the Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores information about the currently running thread. This structure is also known as the Thread Environment Block (TEB).[1]
The TIB is officially undocumented for Windows 9x. The Windows NT series DDK (as well as the MinGW/ReactOS implementation) includes a struct NT_TIB in winnt.h that documents the subsystem independent part. The Win32 subsystem-specific part (TEB( is undocumented, yet so many Win32 programs use these undocumented fields that they are effectively a part of the API. The first field, in particular, is directly referenced by the code produced by Microsoft's own compiler.[1] Wine includes a TEB definition in winternl.h.[2]
The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register on 32-bit Windows and GS on 64-bit Windows.
Contents of the TIB on Windows
This table is based on Wine's work on Windows internals. As of now the size data is for 32-bit Windows; use the offsets to calculate the 64-bit sizes.[2]
| Bytes/ Type |
offset (32-bit, FS) | offset (64-bit, GS) | Windows Versions | Description |
|---|---|---|---|---|
| pointer | FS:[0x00] | GS:[0x00] | Win9x and NT | Current Structured Exception Handling (SEH) frame
Note: the 64-bit version of Windows uses kernel mode stack unwinding instead. |
| pointer | FS:[0x04] | GS:[0x08] | Win9x and NT | Stack Base / Bottom of stack (high address) |
| pointer | FS:[0x08] | GS:[0x10] | Win9x and NT | Stack Limit / Ceiling of stack (low address) |
| pointer | FS:[0x0C] | GS:[0x18] | NT | SubSystemTib |
| pointer | FS:[0x10] | GS:[0x20] | NT | Fiber data |
| pointer | FS:[0x14] | GS:[0x28] | Win9x and NT | Arbitrary data slot |
| pointer | FS:[0x18] | GS:[0x30] | Win9x and NT | Linear address of TEB |
| End of NT subsystem independent part; below are Win32-dependent | ||||
| pointer | FS:[0x1C] | GS:[0x38] | NT | Environment Pointer |
| pointer | FS:[0x20] | GS:[0x40] | NT | Process ID (in some Windows distributions this field is used as 'DebugContext') |
| 4 | FS:[0x24] | GS:[0x48] | NT | Current thread ID |
| 4 | FS:[0x28] | GS:[0x50] | NT | Active RPC Handle |
| 4 | FS:[0x2C] | GS:[0x58] | Win9x and NT | Linear address of the thread-local storage array |
| 4 | FS:[0x30] | GS:[0x60] | NT | Linear address of Process Environment Block (PEB) |
| 4 | FS:[0x34] | GS:[0x68] | NT | Last error number |
| 4 | FS:[0x38] | GS:[0x6C] | NT | Count of owned critical sections |
| 4 | FS:[0x3C] | GS:[0x70] | NT | Address of CSR Client Thread |
| 4 | FS:[0x40] | GS:[0x78] | NT | Win32 Thread Information |
| 124 | FS:[0x44] | GS:[0x80] | NT, Wine | Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95&98), 0x74 = LastError (WinME) |
| 4 | FS:[0xC0] | GS:[0x100] | NT | Reserved for Wow64. Contains a pointer to FastSysCall in Wow64. |
| 4 | FS:[0xC4] | GS:[0x108] | NT | Current Locale |
| 4 | FS:[0xC8] | GS:[0x10C] | NT | FP Software Status Register |
| 216 | FS:[0xCC] | GS:[0x110] | NT, Wine | Reserved for OS (NT), kernel32 private data (Wine) herein: FS:[0x124] 4 NT Pointer to KTHREAD (ETHREAD) structure |
| 4 | FS:[0x1A4] | GS:[0x2C0] | NT | Exception code |
| 18 | FS:[0x1A8] | GS:[0x2C8] | NT | Activation context stack |
| 24 | FS:[0x1BC] | GS:[0x2E8] | NT, Wine | Spare bytes (NT), ntdll private data (Wine) |
| 40 | FS:[0x1D4] | GS:[0x300] | NT, Wine | Reserved for OS (NT), ntdll private data (Wine) |
| 1248 | FS:[0x1FC] | GS:[0x350] | NT, Wine | GDI TEB Batch (OS), vm86 private data (Wine) |
| 4 | FS:[0x6DC] | GS:[0x838] | NT | GDI Region |
| 4 | FS:[0x6E0] | GS:[0x840] | NT | GDI Pen |
| 4 | FS:[0x6E4] | GS:[0x848] | NT | GDI Brush |
| 4 | FS:[0x6E8] | GS:[0x850] | NT | Real Process ID |
| 4 | FS:[0x6EC] | GS:[0x858] | NT | Real Thread ID |
| 4 | FS:[0x6F0] | GS:[0x860] | NT | GDI cached process handle |
| 4 | FS:[0x6F4] | GS:[0x868] | NT | GDI client process ID (PID) |
| 4 | FS:[0x6F8] | GS:[0x86C] | NT | GDI client thread ID (TID) |
| 4 | FS:[0x6FC] | GS:[0x870] | NT | GDI thread locale information |
| 20 | FS:[0x700] | GS:[0x878] | NT | Reserved for user application |
| 1248 | FS:[0x714] | GS:[0x890] | NT | Reserved for GL (See wine ref for internals) |
| 4 | FS:[0xBF4] | GS:[0x1250] | NT | Last Status Value |
| 532 | FS:[0xBF8] | GS:[0x1258] | NT | Static UNICODE_STRING buffer |
| pointer | FS:[0xE0C] | GS:[0x1478] | NT | Also known as DeallocationStack, it establishes the real start address of the stack buffer, hence the real stack limit: it is a few pages less than the stack limit field (which hides the guard pages used to detect stack overflows). |
| pointer[] | FS:[0xE10] | GS:[0x1480] | NT | TLS slots, 4/8 bytes per slot, 64 slots |
| 8 | FS:[0xF10] | GS:[0x1680] | NT | TLS links (LIST_ENTRY structure) |
| 4 | FS:[0xF18] | GS:[0x1690] | NT | VDM |
| 4 | FS:[0xF1C] | GS:[0x1698] | NT | Reserved for RPC |
| 4 | FS:[0xF28] | GS:[0x16B0] | NT | Thread error mode (RtlSetThreadErrorMode) |
| This is not the full table; see wine ref for all fields until FS:[0xfb4] / GS:[17d0] | ||||
FS (for 32-bit) or GS (for 64-bit) maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.
Accessing the TIB
The TIB of the current thread can be accessed as an offset of segment register FS (x86) or GS (x64).
It is not common to access the TIB fields by an offset from FS:[0], but rather first getting a linear self-referencing pointer to it stored at FS:[0x18]. That pointer can be used with pointer arithmetics or be cast to a struct pointer.
Example in C inlined-assembly for x86:
// gcc (AT&T-style inline assembly).
void *getTIB() {
void *pTIB;
#if defined(__x86_64__) || defined(__amd64__)
__asm__("movq %%gs:0x30, %0" : "=r" (pTIB) ::);
#elif defined(__i386__)
__asm__("movl %%fs:0x18, %0" : "=r" (pTIB) ::);
#else
#error unsupported architecture
#endif
return pTIB;
}
// Microsoft C
__declspec(naked)
void *getTIB() {
__asm mov EAX, FS:[18h]
// x64: __asm mov RAX, GS:[30h]
}
// Using Microsoft's intrinsics instead of inline assembly (works for both X86 and X64 architectures)
void *getTIB() {
#ifdef _M_IX86
return (void *)__readfsdword(0x18);
#elif _M_AMD64
return (void *)__readgsqword(0x30);
#else
#error unsupported architecture
#endif
}
See also
References
- ^ a b Pietrek, Matt (May 1996). "Under The Hood". Microsoft Systems Journal. Archived from the original on 2009-06-14. Retrieved 2010-07-07.
- ^ a b "wine winternl.h: typedef struct _TEB". GitHub. wine-mirror. 29 October 2019.
Further reading
- Pietrek, Matt (March 1996). Windows 95 Programming Secrets (pdf). IDG. pp. 136–138. ISBN 978-1-56884-318-6. Retrieved 2010-07-17.
{{cite book}}: CS1 maint: url-status (link)