Register contents at startup 
Author Message
 Register contents at startup

When you run a windows 32bit application (PE), what are the register contents?
cs obviously points to code, ds to data, ss to stack, but what about es, gs,
fs, if the model wasn't flat?
At the start of one program, I saw:
mov eax, dword fs:[00000000]
Anyone know, or where I could find out?

GS d- s: a---- C++++ W++ N++ K- W+++++ M-- PS
PE+ Y+ PGP- t 5 X++ R tv+ b DI+++ D---- Ge-- h! r+
Make the known unknown and the unknown known...



Wed, 13 Feb 2002 03:00:00 GMT  
 Register contents at startup

Quote:

> When you run a windows 32bit application (PE), what are the register contents?
> cs obviously points to code, ds to data, ss to stack, but what about es, gs,
> fs, if the model wasn't flat?
> At the start of one program, I saw:
> mov eax, dword fs:[00000000]
> Anyone know, or where I could find out?

es should be an alias to ds i think, fs points to the TIB (thread info
block), i don't *think* gs point's to anything special but i really
don't know for shore. The TIB lock something like this:

TIB.H
//===========================================================
// File: TIB.H
// Author: Matt Pietrek
// From: Microsoft Systems Journal "Under the Hood", May 1996
//===========================================================
#pragma pack(1)

typedef struct _EXCEPTION_REGISTRATION_RECORD
{
    struct _EXCEPTION_REGISTRATION_RECORD * pNext;
    FARPROC                                 pfnHandler;

Quote:
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;

typedef struct _TIB
{
PEXCEPTION_REGISTRATION_RECORD pvExcept; // 00h Head of exception record
list
PVOID   pvStackUserTop;     // 04h Top of user stack
PVOID   pvStackUserBase;    // 08h Base of user stack

union                       // 0Ch (NT/Win95 differences)
{
    struct  // Win95 fields
    {
        WORD    pvTDB;          // 0Ch TDB
        WORD    pvThunkSS;      // 0Eh SS selector used for thunking to
16 bits
        DWORD   unknown1;       // 10h
    } WIN95;

    struct  // WinNT fields
    {
        PVOID SubSystemTib;     // 0Ch
        ULONG FiberData;        // 10h
    } WINNT;

Quote:
} TIB_UNION1;

PVOID   pvArbitrary;        // 14h Available for application use
struct _tib *ptibSelf;      // 18h Linear address of TIB structure

union                       // 1Ch (NT/Win95 differences)
{
    struct  // Win95 fields
    {
        WORD    TIBFlags;           // 1Ch
        WORD    Win16MutexCount;    // 1Eh
        DWORD   DebugContext;       // 20h
        DWORD   pCurrentPriority;   // 24h
        DWORD   pvQueue;            // 28h Message Queue selector
    } WIN95;

    struct  // WinNT fields
    {
        DWORD unknown1;             // 1Ch
        DWORD processID;            // 20h
        DWORD threadID;             // 24h
        DWORD unknown2;             // 28h
    } WINNT;

Quote:
} TIB_UNION2;

PVOID*  pvTLSArray;         // 2Ch Thread Local Storage array

union                       // 30h (NT/Win95 differences)
{
    struct  // Win95 fields
    {
        PVOID*  pProcess;           // 30h Pointer to owning process
database
    } WIN95;

Quote:
} TIB_UNION3;
} TIB, *PTIB;

#pragma pack()

--
Leif

 Love, Peace, Understanding
            And
    Freedom To Every One



Thu, 14 Feb 2002 03:00:00 GMT  
 
 [ 2 post ] 

 Relevant Pages 

1. How to read the contents of register ?

2. modifying the register contents in a pli routine

3. Writing register content to screen

4. Error: Clock skew plus hold time of destination register exceeds register-to-register delay

5. Error: Clock skew plus hold time of destination register exceeds register-to-register delay

6. a startup file for MSWLogo - startup.lgo (0/1)

7. a startup file for MSWLogo - startup.lgo (0/1)

8. Corruption of field content / Content spreading over fields / NIGHTMARE

9. content of content variable

10. get the content of the content

11. Using FP registers as additional GP registers

12. Status Register/Control Register

 

 
Powered by phpBB® Forum Software