经常在r3 下调试经常会看到 mov eax,fs:[18h] ;获取TEP 其实就只指向自己fs:[0] mov eax,[eax+30h] ;获取PEB 这样的语句。 fs段在用户模式(R3)和系统模式(R0)分别指向两个最重要的系统结 构: Ring3: fs --> TEB (Thread Environment Block)结 构表 --> 7FFDE000即“线程环境块”。 Ring0: fs --> KPCR (Kernel Processor Control Region) 结构表 --> FFFDF000 即“内核处理器控制域”。 通常在其r3 下fs被用于获取kernel32.dll的基地址 或者其他有关于程序线程和进程的信息。 以下是一些参考资料 FS:[0x00] Win9x and NT Current SEH frame FS:[0x04] Win9x and NT Top of stack FS:[0x08] Win9x and NT Current bottom of stack FS:[0x10] NT Fiber data FS:[0x14] Win9x and NT Arbitrary data slot FS:[0x18] Win9x and NT Linear address of TIB(TEB--- 也叫做线程信息块 TIB) FS:[0x20] NT Process ID FS:[0x24] NT Current thread ID FS:[0x2C] Win9x and NT Linear address of the thread local storage array FS:[0x30] Pointer to PEB FS:[0x34] NT Current error number FS:[0x38] CountOfOwnedCriticalSections FS:[0x3c] CsrClientThread FS:[0x40] Win32ThreadInfo FS:[0x44] Win32ClientInfo[0x1f] FS:[0xc0] WOW32Reserved FS:[0xc4] CurrentLocale FS:[0xc8] FpSoftwareStatusRegister FS:[0xcc] SystemReserved1[0x36] FS:[0x1a4] Spare1 FS:[0x1a8] ExceptionCode FS:[0x1ac] SpareBytes1[0x28] FS:[0x1d4] SystemReserved2[0xA] FS:[0x1fc] GDI_TEB_BATCH FS:[0x6dc] gdiRgn FS:[0x6e0] gdiPen FS:[0x6e4] gdiBrush FS:[0x6e8] CLIENT_ID FS:[0x6f0] GdiCachedProcessHandle FS:[0x6f4] GdiClientPID FS:[0x6f8] GdiClientTID FS:[0x6fc] GdiThreadLocaleInfo FS:[0x700] UserReserved[5] FS:[0x714] glDispatchTable[0x118] FS:[0xb74] glReserved1[0x1A] FS:[0xbdc] glReserved2 FS:[0xbe0] glSectionInfo FS:[0xbe4] glSection FS:[0xbe8] glTable FS:[0xbec] glCurrentRC FS:[0xbf0] glContext FS:[0xbf4] NTSTATUS FS:[0xbf8] StaticUnicodeString FS:[0xc00] StaticUnicodeBuffer[0x105] FS:[0xe0c] DeallocationStack FS:[0xe10] TlsSlots[0x40] FS:[0xf10] TlsLinks FS:[0xf18] Vdm FS:[0xf1c] ReservedForNtRpc FS:[0xf20] DbgSsReserved[0x2] FS:[0xf28] HardErrorDisabled FS:[0xf2c] Instrumentation[0x10] FS:[0xf6c] WinSockData FS:[0xf70] GdiBatchCount FS:[0xf74] Spare2 FS:[0xf78] Spare3 FS:[0xf7c] Spare4 FS:[0xf80] ReservedForOle FS:[0xf84] WaitingOnLoaderLock FS:[0xf88] StackCommit FS:[0xf8c] StackCommitMax FS:[0xf90] StackReserve