Win32 Thread Information Block

出自: http://en.wikipedia.org/wiki/Win32_Thread_Information_Block

 

Win32 Thread Information Block

From Wikipedia, the free encyclopedia

Jump to: navigation, search

In computing, the Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores info about the currently running thread.

The TIB is officially undocumented for Windows 9x. The Windows NT series DDK includes a struct NT_TIB in winnt.h that documents the subsystem independent part. Wine includes declarations for the extended (subsystem-specific part of) TIB. Yet so many Win32 programs use undocumented fields that it is effectively a part of the API.

The TIB can be used to get a lot of information on the process without calling win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc.

[edit] Contents of the TIB

Position	Length	Windows Versions	Description
FS:[0x00]	4	Win9x and NT	Current Structured Exception Handling (SEH) frame
FS:[0x04]	4	Win9x and NT	Top of stack
FS:[0x08]	4	Win9x and NT	Current bottom of stack
FS:[0x10]	4	NT	Fiber data
FS:[0x14]	4	Win9x and NT	Arbitrary data slot
FS:[0x18]	4	Win9x and NT	Linear address of TIB
-	-	NT	End of NT subsystem independent part
FS:[0x1C]	4	NT	Environment Pointer
FS:[0x20]	4	NT	Process ID
FS:[0x24]	4	NT	Current thread ID
FS:[0x28]	4	NT	Active RPC Handle
FS:[0x2C]	4	Win9x and NT	Linear address of the thread-local storage array
FS:[0x30]	4	NT	Linear address of Process Environment Block (PEB)
FS:[0x34]	4	NT	Last error number
FS:[0x38]	4	NT	Count of owned critical sections
FS:[0x3C]	4	NT	Address of CSR Client Thread
FS:[0x40]	4	NT	Win32 Thread Information
FS:[0x44]	124	NT,Wine	Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95), 0x74 = LastError (WinME)
FS:[0xC0]	4	NT	Reserved for Wow32
FS:[0xC4]	4	NT	Current Locale
FS:[0xC8]	4	NT	FP Software Status Register
FS:[0xCC]	216	NT,Wine	Reserved for OS (NT), kernel32 private data (Wine)
FS:[0x1A4]	4	NT	Exception code
FS:[0x1A8]	18	NT	Activation context stack
FS:[0x1BC]	24	NT,Wine	Spare bytes (NT), ntdll private data (Wine)
FS:[0x1D4]	40	NT,Wine	Reserved for OS (NT), ntdll private data (Wine)
FS:[0x1FC]	1248	NT,Wine	GDI TEB Batch (OS), vm86 private data (Wine)
FS:[0x6DC]	4	NT	GDI Region
FS:[0x6E0]	4	NT	GDI Pen
FS:[0x6E4]	4	NT	GDI Brush
FS:[0x6E8]	4	NT	Real Process ID
FS:[0x6EC]	4	NT	Real Thread ID
FS:[0x6F0]	4	NT	GDI cached process handle
FS:[0x6F4]	4	NT	GDI client process ID (PID)
FS:[0x6F8]	4	NT	GDI client thread ID (TID)
FS:[0x6FC]	4	NT	GDI thread locale information
FS:[0x700]	20	NT	Reserved for user application
FS:[0x714]	1248	NT	Reserved for GL
FS:[0xBF4]	4	NT	Last Status Value
FS:[0xBF8]	214	NT	Reserved for advapi32
FS:[0xE0C]	4	NT	Pointer to deallocation stack
FS:[0xE10]	256	NT	TLS slots, 4 byte per slot
FS:[0xF10]	8	NT	TLS links (LIST_ENTRY structure)
FS:[0xF18]	4	NT	VDM
FS:[0xF1C]	4	NT	Reserved for RPC

[edit] Accessing the TIB

The TIB can be accessed as an offset of segment register FS.

It is common to not access TIB fields by offset from FS:[0], but rather first getting a the linear self-referencing pointer to the stored at FS:[0x18]. That pointer is used in means of pointer arithmetics or cast to a struct pointer.

Example in C inlined-assembly for 32-bit x86:

// gcc (AT&T-style inline assembly).
void *getTIB()
{
    void *pTib;
    __asm__("movl %%fs:0x18, %0" : "=r" (pTib) : : );
    return pTib;
}

// Microsoft C
void *getTib()
{
    void *pTib;
    __asm {
        mov EAX, FS:[18h]
        mov [pTib], EAX
    }
    return pTib;
}

[edit] External links

• Under The Hood - MSJ, May 1996
• - Wine HQ

This Microsoft Windows article is a stub. You can help by expanding it.

Retrieved from " http://en.wikipedia.org/wiki/Win32_Thread_Information_Block"

Categories: Microsoft Windows stubs | Microsoft application programming interfaces | Threads