 | This article needs to beupdated. Please help update this article to reflect recent events or newly available information.(December 2013) |
TheThread Information Block (TIB) orThread Environment Block (TEB) is adata structure inWin32 onx86 that stores information about the currently runningthread. It descended from, and is backward-compatible on 32-bit systems with, a similar structure inOS/2.[1]
The TIB is officially undocumented forWindows 9x. TheWindows NT seriesDDK (as well as theMinGW/ReactOS implementation) includes a structNT_TIB inwinnt.h that documents the subsystem independent part. Even before TIB was effectively documented, many applications have already started using its fields that they are effectively a part of theAPI. The first field containing theSEH frame, in particular, is referenced by the code produced by Microsoft's own compiler.[1] The Win32 subsystem-specific part of the TEB is undocumented, butWine includes a TEB definition inwinternl.h.[2]
The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulatingGetLastError(),GetVersion(). Through the pointer to thePEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FSsegment register on 32-bit Windows and GS on 64-bit Windows.
This table is based onWine's work onMicrosoft Windows internals.[2]
| Bytes/ Type | offset (32-bit, FS) | offset (64-bit, GS) | Windows Versions | Description |
|---|---|---|---|---|
| pointer | FS:[0x00] | GS:[0x00] | Win9x andNT | CurrentStructured Exception Handling (SEH) frame Note: the 64-bit version of Windows usesstack unwinding done inkernel mode instead. |
| pointer | FS:[0x04] | GS:[0x08] | Win9x and NT | Stack Base / Bottom of stack (high address) |
| pointer | FS:[0x08] | GS:[0x10] | Win9x and NT | Stack Limit / Ceiling of stack (low address) |
| pointer | FS:[0x0C] | GS:[0x18] | NT | SubSystemTib |
| pointer | FS:[0x10] | GS:[0x20] | NT | Fiber data |
| pointer | FS:[0x14] | GS:[0x28] | Win9x and NT | Arbitrary data slot |
| pointer | FS:[0x18] | GS:[0x30] | Win9x and NT | Linear address of TEB |
| End ofNT subsystem independent part; below areWin32-dependent | ||||
| pointer | FS:[0x1C] | GS:[0x38] | NT | Environment Pointer |
| pointer | FS:[0x20] | GS:[0x40] | NT | Process ID (in some Windows distributions this field is used asDebugContext) |
| 4 | FS:[0x24] | GS:[0x48] | NT | Current thread ID |
| pointer | FS:[0x28] | GS:[0x50] | NT | Active RPC Handle |
| pointer | FS:[0x2C] | GS:[0x58] | Win9x and NT | Linear address of thethread-local storage array |
| pointer | FS:[0x30] | GS:[0x60] | NT | Linear address ofProcess Environment Block (PEB) |
| 4 | FS:[0x34] | GS:[0x68] | NT | Last error number |
| 4 | FS:[0x38] | GS:[0x6C] | NT | Count of owned critical sections |
| pointer | FS:[0x3C] | GS:[0x70] | NT | Address of CSR Client Thread |
| pointer | FS:[0x40] | GS:[0x78] | NT | Win32 Thread Information |
| 124 | FS:[0x44] | GS:[0x80] | NT, Wine | Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95&98), 0x74 = LastError (WinME) |
| pointer | FS:[0xC0] | GS:[0x100] | NT | Reserved for Wow64. Contains a pointer toFastSysCall in Wow64. |
| 4 | FS:[0xC4] | GS:[0x108] | NT | Current Locale |
| 4 | FS:[0xC8] | GS:[0x10C] | NT | FP Software Status Register |
| 216 | FS:[0xCC] | GS:[0x110] | NT, Wine | Reserved for OS (NT), kernel32 private data (Wine) herein: FS:[0x124] 4 NT Pointer to KTHREAD (ETHREAD) structure |
| 4 | FS:[0x1A4] | GS:[0x2C0] | NT | Exception code |
| 18 | FS:[0x1A8] | GS:[0x2C8] | NT | Activation context stack |
| 24 | FS:[0x1BC] | GS:[0x2E8] | NT, Wine | Spare bytes (NT), ntdll private data (Wine) |
| 40 | FS:[0x1D4] | GS:[0x300] | NT, Wine | Reserved for OS (NT), ntdll private data (Wine) |
| 1248 | FS:[0x1FC] | GS:[0x350] | NT, Wine | GDI TEB Batch (OS), vm86 private data (Wine) |
| 4 | FS:[0x6DC] | GS:[0x838] | NT | GDI Region |
| 4 | FS:[0x6E0] | GS:[0x840] | NT | GDI Pen |
| 4 | FS:[0x6E4] | GS:[0x848] | NT | GDI Brush |
| 4 | FS:[0x6E8] | GS:[0x850] | NT | Real Process ID |
| 4 | FS:[0x6EC] | GS:[0x858] | NT | Real Thread ID |
| 4 | FS:[0x6F0] | GS:[0x860] | NT | GDI cached process handle |
| 4 | FS:[0x6F4] | GS:[0x868] | NT | GDI client process ID (PID) |
| 4 | FS:[0x6F8] | GS:[0x86C] | NT | GDI client thread ID (TID) |
| 4 | FS:[0x6FC] | GS:[0x870] | NT | GDI thread locale information |
| 20 | FS:[0x700] | GS:[0x878] | NT | Reserved for user application |
| 1248 | FS:[0x714] | GS:[0x890] | NT | Reserved for GL (See wine ref for internals)[2] |
| 4 | FS:[0xBF4] | GS:[0x1250] | NT | Last Status Value |
| 532 | FS:[0xBF8] | GS:[0x1258] | NT | StaticUNICODE_STRING buffer |
| pointer | FS:[0xE0C] | GS:[0x1478] | NT | Also known asDeallocationStack, it establishes the actual start address of the stack buffer, which defines the true stack limit. This limit is a few pages less than the stack limit field, as the latter includes the guard pages used to manage the growth of the stack.[3] |
| pointer[] | FS:[0xE10] | GS:[0x1480] | NT | TLS slots, 4/8 bytes per slot, 64 slots |
| 8 | FS:[0xF10] | GS:[0x1680] | NT | TLS links (LIST_ENTRY structure) |
| 4 | FS:[0xF18] | GS:[0x1690] | NT | VDM |
| 4 | FS:[0xF1C] | GS:[0x1698] | NT | Reserved for RPC |
| 4 | FS:[0xF28] | GS:[0x16B0] | NT | Thread error mode (RtlSetThreadErrorMode) |
| 4 | FS:[0xF78] | GS:[0x1748] | NT | Guaranteed stack bytes |
| This is not the full table; see wine ref for all fields until FS:[0xfb4] / GS:[17c8].[2] Newer Windows versions extend the size of TIB further, up to 0x1000/0x1838 in Windows 10. Some of the fields appended are removed, leading to conflicting definitions.[4] | ||||
FS (for 32-bit) or GS (for 64-bit) maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.
A process should be free to move thestack of its threads as long as it updates the information stored in the TIB accordingly. A few fields are key to this matter: stack base, stack limit, deallocation stack, and guaranteed stack bytes, respectively stored at offsets0x8,0x10,0x1478 and0x1748 in 64 bits. Different Windowskernel functions read and write these values, specially to distinguishstack overflows from other read/writepage faults (a read or write to a page guarded among the stack limits in guaranteed stack bytes will generate a stack-overflow exception instead of an access violation). The deallocation stack is important because Windows API allows to change the amount of guarded pages: the functionSetThreadStackGuarantee allows both read the current space and to grow it. In order to read it, it reads theGuaranteedStackBytes field, and to grow it, it uses has to uncommit stack pages. Setting stack limits without settingDeallocationStack will probably cause odd behavior inSetThreadStackGuarantee. For example, it will overwrite the stack limits to wrong values. Different libraries callSetThreadStackGuarantee, for example the.NET CLR uses it for setting up the stack of their threads.
The TIB of the current thread can be accessed as an offset of segmentregister FS (x86) or GS (x64).
It is not common to access the TIB fields by an offset fromFS:[0], but rather first getting a linear self-referencing pointer to it stored atFS:[18h]. That pointer can be used with pointer arithmetic or be cast to astructpointer.
UsingMicrosoft Windows SDK or similar, a programmer could use an inline function defined inwinnt.h namedNtCurrentTeb which returns the address of the current Thread Information Block asNT_TIB *.[5]
Alternative methods of access forIA-32 architectures are as follows:
// gcc (AT&T-style inline assembly).void*getTIB(void){registervoid*pTIB;#if defined(__x86_64__) || defined(__amd64__)__asm__("movq %%gs:0x30, %0":"=r"(pTIB));#elif defined(__i386__)__asm__("movl %%fs:0x18, %0":"=r"(pTIB));#else#error unsupported architecture#endifreturnpTIB;}
// gcc (named address spaces, same as the inline assembly version on -O1 or -ftree-ter).void*getTIB(void){#if defined(__x86_64__) || defined(__amd64__)#ifndef __SEG_GS#error unsupported GCC version#endifreturn*(void*__seg_gs*)0x30;#elif defined(__i386__)#ifndef __SEG_FS#error unsupported GCC version#endifreturn*(void*__seg_fs*)0x18;#else#error unsupported architecture#endif}
// Microsoft C__declspec(naked)void*getTIB(){__asmmovEAX,FS:[18h]__asmret}
// Using Microsoft's intrinsics instead of inline assembly (works for both X86 and X64 architectures)void*getTIB(){#ifdef _M_IX86return(void*)__readfsdword(0x18);#elif _M_AMD64return(void*)__readgsqword(0x30);#else#error unsupported architecture#endif}