유저모드의 FS레지스터는 현재 프로세서의 TEB(Thread Environment Block)을 가리키고 있습니다. 이는 처음 한 프로세스 내의 처음 생성된 쓰레드부터 0x7ffde000으로 부터 쓰레드가 생성될때마다 4KB씩 감소면서 생성됩니다.
첫번째 쓰레드 : 0x7ffde000
두번째 쓰레드 : 0x7ffdd000
세번째 쓰레드 : 0x7ffdc000
....
참고로 커널 모드의 프로세스에서는 FS 레지스터는 일반적으로 KPCR(Kernel Process Control Region)이라는 곳을 지칭하고 있는데 이는 XP 같은 경우 0xffdf0000 이라는 친숙한 주소의 값입니다. 물론 OS마다 다르지만 FS의 GDT 정보를 확인하여 KPCR을 찾으시면 되겠습니다.
출처: http://passket.tistory.com/30
windbg dt 명령어로 teb을 확인해 보았습니다. 0x30 위치에 peb의 주소가 있네요.
(windows 7 32bit)
xor eax, eax
mov eax, FS : [eax + 0x30] // peb의 주소
이런식으로 사용이 가능하겠습니다.
0:000> dt _teb 7ffdf000
ntdll!_TEB
+0x000 NtTib : _NT_TIB
+0x01c EnvironmentPointer : (null)
+0x020 ClientId : _CLIENT_ID
+0x028 ActiveRpcHandle : (null)
+0x02c ThreadLocalStoragePointer : 0x7ffdf02c Void
+0x030 ProcessEnvironmentBlock : 0x7ffda000 _PEB
+0x034 LastErrorValue : 0
+0x038 CountOfOwnedCriticalSections : 0
+0x03c CsrClientThread : (null)
+0x040 Win32ThreadInfo : (null)
+0x044 User32Reserved : [26] 0
+0x0ac UserReserved : [5] 0
+0x0c0 WOW32Reserved : (null)
+0x0c4 CurrentLocale : 0x412
+0x0c8 FpSoftwareStatusRegister : 0
+0x0cc SystemReserved1 : [54] (null)
+0x1a4 ExceptionCode : 0n0
+0x1a8 ActivationContextStackPointer : 0x004107e0 _ACTIVATION_CONTEXT_STACK
+0x1ac SpareBytes : [36] ""
+0x1d0 TxFsContext : 0xfffe
+0x1d4 GdiTebBatch : _GDI_TEB_BATCH
+0x6b4 RealClientId : _CLIENT_ID
+0x6bc GdiCachedProcessHandle : (null)
+0x6c0 GdiClientPID : 0
+0x6c4 GdiClientTID : 0
+0x6c8 GdiThreadLocalInfo : (null)
+0x6cc Win32ClientInfo : [62] 0
+0x7c4 glDispatchTable : [233] (null)
+0xb68 glReserved1 : [29] 0
+0xbdc glReserved2 : (null)
+0xbe0 glSectionInfo : (null)
+0xbe4 glSection : (null)
+0xbe8 glTable : (null)
+0xbec glCurrentRC : (null)
+0xbf0 glContext : (null)
+0xbf4 LastStatusValue : 0
+0xbf8 StaticUnicodeString : _UNICODE_STRING "ntdll.dll"
+0xc00 StaticUnicodeBuffer : [261] "ntdll.dll"
+0xe0c DeallocationStack : 0x00210000 Void
+0xe10 TlsSlots : [64] (null)
+0xf10 TlsLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0xf18 Vdm : (null)
+0xf1c ReservedForNtRpc : (null)
+0xf20 DbgSsReserved : [2] (null)
+0xf28 HardErrorMode : 0
+0xf2c Instrumentation : [9] (null)
+0xf50 ActivityId : _GUID {00000000-0000-0000-0000-000000000000}
+0xf60 SubProcessTag : (null)
+0xf64 EtwLocalData : (null)
+0xf68 EtwTraceData : (null)
+0xf6c WinSockData : (null)
+0xf70 GdiBatchCount : 0
+0xf74 CurrentIdealProcessor : _PROCESSOR_NUMBER
+0xf74 IdealProcessorValue : 0
+0xf74 ReservedPad0 : 0 ''
+0xf75 ReservedPad1 : 0 ''
+0xf76 ReservedPad2 : 0 ''
+0xf77 IdealProcessor : 0 ''
+0xf78 GuaranteedStackBytes : 0
+0xf7c ReservedForPerf : (null)
+0xf80 ReservedForOle : (null)
+0xf84 WaitingOnLoaderLock : 0
+0xf88 SavedPriorityState : (null)
+0xf8c SoftPatchPtr1 : 0
+0xf90 ThreadPoolData : (null)
+0xf94 TlsExpansionSlots : (null)
+0xf98 MuiGeneration : 0
+0xf9c IsImpersonating : 0
+0xfa0 NlsCache : (null)
+0xfa4 pShimData : (null)
+0xfa8 HeapVirtualAffinity : 0
+0xfac CurrentTransactionHandle : (null)
+0xfb0 ActiveFrame : (null)
+0xfb4 FlsData : (null)
+0xfb8 PreferredLanguages : (null)
+0xfbc UserPrefLanguages : (null)
+0xfc0 MergedPrefLanguages : (null)
+0xfc4 MuiImpersonation : 0
+0xfc8 CrossTebFlags : 0
+0xfc8 SpareCrossTebBits : 0y0000000000000000 (0)
+0xfca SameTebFlags : 0x420
+0xfca SafeThunkCall : 0y0
+0xfca InDebugPrint : 0y0
+0xfca HasFiberData : 0y0
+0xfca SkipThreadAttach : 0y0
+0xfca WerInShipAssertCode : 0y0
+0xfca RanProcessInit : 0y1
+0xfca ClonedThread : 0y0
+0xfca SuppressDebugMsg : 0y0
+0xfca DisableUserStackWalk : 0y0
+0xfca RtlExceptionAttached : 0y0
+0xfca InitialThread : 0y1
+0xfca SpareSameTebBits : 0y00000 (0)
+0xfcc TxnScopeEnterCallback : (null)
+0xfd0 TxnScopeExitCallback : (null)
+0xfd4 TxnScopeContext : (null)
+0xfd8 LockCount : 0
+0xfdc SpareUlong0 : 0
+0xfe0 ResourceRetValue : (null)
'Security > Assembly' 카테고리의 다른 글
| [어셈블리어] 헷갈리는 것들 ! 정리 (0) | 2017.06.03 |
|---|