PEB/TEB-Study-note-二

TEB/PEB Study note（二）

PEB/TEB document：x64 PEB and TEB Structure

PTR64 ThreadLocalStoragePointer; //0x0058
PTR64 Win32ThreadInfo; //0x0078
QWORD FastPebLock; //0x0038
QWORD TlsBitmap; //0x0078
DWORD TlsBitmapBits[2]; //0x0080
DWORD NumberOfProcessors; //0x00B8

ThreadLocalStoragePointer

you can find this member by starting address of PEB + 0x0058. The member is a pointer that points to ThreadLocalStorage, which stores the pointers of thread data blocks. The thread data block is a memory block which stores the information of a thread, such as variables…

dive to ThreadLocalStorage

what is ThreadLocalStorage

I think The ThreadLocalStorage is used to deal with the situation that more than two threads access the global variables at the same time.

All threads of a process share its virtual address space. The local variables of a function are unique to each thread that runs the function. However, the static and global variables are shared by all threads in the process. With thread local storage (TLS), you can provide unique data for each thread that the process can access using a global index. One thread allocates the index, which can be used by the other threads to retrieve the unique data associated with the index. This is the features of TLS

how does it work in a process

When the threads are created, The system allocates a array of LPVOID values for TLS, which are initialized to zero. Before a index can be used, it must be allocated by one of the threads. Each thread stores its data for an TLS index in a TLS slot in the array.If the data associated with an index will fit in an LPVOID value, you can store the data directly in the TLS slot.

The following diagram illustrates how the TLS works.

The process has two threads, Thread 1 and Thread 2. It allocates two indexes for use with TLS, gdwTlsIndex1 and gdwTlsIndex2. Each thread allocates two memory blocks (one for each index) in which to store the data, and stores the pointers to these memory blocks in the corresponding TLS slots. To access the data associated with an index, the thread retrieves the pointer to the memory block from the TLS slot and stores it in the lpvData local variable.

Before the TLS is used, it is must be declared in each thread. After being declared, each thread will have a copy of the TLS which stores the pointers that points to the data copy of global and static data.

Win32ThreadInfo

What the Win32ThreadInfo points to is a structure THREADINFO that stores the information of current thread.

OMG!The structure is stored in kernel-mod not the user-mode so wo can not access to it directly. Also the derails of the THREADINFO is not published by Microsoft.

If you want more you can click the link: THREADINFO (geoffchappell.com)

FastPebLock

It is used to lock the process while a thread is accessing the data in the process. This way, it avoids that the data in the process is accessed by multiple threads.

TlsBitmap and TlsBitmapBits[2]

I think the two members is related with raw data of TLS of the process.

NumberOfProcessors

It illustrates how many the processors the current process uses.