4

I need to debug an application written in C that reads and writes to segment register FS. To debug this application I need to see the memory address where FS points to.

The application uses code like this:

mov rdx, fs:[rcx]
mov fs:[rcx], rsi

How do I get the linear virtual address of a read/write from/to segment registers? I can compile this application for either Linux or Winodws.

Fee
  • 719
  • 9
  • 24
  • Windows uses FS for "per thread" variables, and the few times I've looked at the assembly code, it's converting FS:[...] into a regular virtual address. The current seed for rand() is one of those "per thread" variables, which is what I looked at. – rcgldr Nov 13 '15 at 09:59
  • Related: http://stackoverflow.com/questions/6611346/how-are-the-fs-gs-registers-used-in-linux-amd64 – Ciro Santilli OurBigBook.com Nov 13 '15 at 13:05

1 Answers1

4

On linux, you can use arch_prctl(ARCH_GET_FS, &fsbase). In windows, if the FS is pointing to the TEB as usual, you can read fs:[0x18] to get the base address, or use features of your debugger if available.

Jester
  • 56,577
  • 4
  • 81
  • 125