4

I have this simple assembler command:

mov eax, fs:[30h];

My problem is that I need to know what specific address is really read by this command. I found a lot of documentation about the assembler addressing modes but nothing about the register: notation.

Could somebody please explain me the math behind the address calculation?

Rakete1111
  • 47,013
  • 16
  • 123
  • 162
Robert
  • 39,162
  • 17
  • 99
  • 152

3 Answers3

3

FS is an index into a table of Segment Descriptors, which in turn contain a Base Address, which is added to the address. On win32, FS is used to access the Thread Information Block (or more accurately, the Segment Descriptor indexed by FS has a base address such that FS:[0] is the start of the TIB) and FS:[30h] is the location of a pointer to the Process Environment Block. On win64, GS is used to access the TIB.

harold
  • 61,398
  • 6
  • 86
  • 164
  • Thanks for the description but I know what the code does. I need to calculate the memory addresses so that I can access the TIB by hand without code... – Robert Jun 20 '13 at 13:48
  • 2
    @Robert without code..? Well you can fire up VMMap and look at where the TIB's are (they're at the higher addresses) – harold Jun 20 '13 at 14:16
  • Thanks for the VMMap hint, now I know the address where to search for the TIB. Anyway it would be interesting to understand the x86 assembler address computation. – Robert Jun 21 '13 at 11:38
1

To get the base address of the FS segment in Win32, you can use the GetThreadSelectorEntry function (x86 only).

If you're writing a debugger, you can use lpThreadLocalBase value from the CREATE_THREAD_DEBUG_INFO/CREATE_PROCESS_DEBUG_INFO structures which are sent to the debugger for every new thread or process. This points to the threads's TEB and works for both x86 and x64 processes (on x64, the GS register is used for TEB).

Igor Skochinsky
  • 24,629
  • 2
  • 72
  • 109
-1

The best explanation ( and even with pictures ) is placed here:

http://flint.cs.yale.edu/cs422/doc/art-of-asm/pdf/

Chapter 4 is what You should read.

icbytes
  • 1,831
  • 1
  • 17
  • 27
  • The fs register is a 16bit register, therefore just adding the offset does not give you a valid pointer. – Robert Jun 20 '13 at 11:08
  • Ok, I edited it in order to keep the link to the most powerfull asm book, i have ever read ( and still read ). – icbytes Jun 21 '13 at 07:20