Re: lea with fs override
- From: "robertwessel2@xxxxxxxxx" <spamtrap@xxxxxxxxxx>
- Date: 27 Apr 2006 12:47:21 -0700
JC wrote:
I'd like to know, from userland, what base linear address my OS
(Windows XP) has set the FS segment (or GS, for that matter) to point
to.
I thought I could be clever, and do something like this (intel
syntax):
lea eax, fs:[0]
To figure this out. Unfortunately, LEA ignores segment overrides, and
I get back 0. Not helpful.
Is there another way to figure this out?
In user mode, FS will always point to the current thread's TIB.
There's a pointer in there (at FS:0x18) that points to the linear
address of the TIB. It does something similar in the kernel.
While not particularly documented, the GDT itself isn't that hard to
find (although it's moved around in different versions of Windows), and
you can usually search from there. Try 0x80036000, it might still be
there (that was correct for at least some versions of 2GB Win2K).
Also, you could just search your address space for a block of memory
matching what's at FS:0. To make that simpler, TIBs are always page
aligned, and on a system with 2GB of user address space, are allocated
starting a little below the 2GB line and going down (there's something
like 128KB of other stuff first, then the PEB, then the TIBs). Or at
least those were the locations for Win2K.
A kernel debugger like SoftIce will also let you get to that stuff.
The first option (the FS:0x18 pointer) is the only thing approximating
a stable interface.
The question is what you're trying to accomplish.
.
- References:
- lea with fs override
- From: JC
- lea with fs override
- Prev by Date: Re: Couple ?s
- Next by Date: (ANNOUNCE) HLA Standard Library at SF
- Previous by thread: Re: lea with fs override
- Next by thread: Re: lea with fs override
- Index(es):
Relevant Pages
|
