Well, today while going through Iczelion's PE tut 2 detecting valid PE's

he mention that
We start by assuming the use of the fs register as nothing


I search my instruction set and the coder's reference even the net but found nothing talking about a fs reg. Wanting to claraify what it is or is it actually something different from the other regs and what are some of it's uses.:eek: :confused:

I never heard of a fs register when coding in 16-bit even my asm step by step book doesn't even mention it. It would be greatly appreciated if any one could help me out in the purpose of this reg so I can better understand the PE format for my general knowledge.
Posted on 2003-03-02 19:48:58 by Tweak
The 8088 had SS,CS,DS and ES. In the 386 Intel added FS and GS.
Posted on 2003-03-02 21:01:13 by mrgone
Tweak have a look at this thread
http://www.asmcommunity.net/board/index.php?topic=11081
there are also a couple of threads floating around that cover this topic
Posted on 2003-03-03 03:15:39 by keyoke
keyoke, I was looking for info on the fs and gs registers not tib or TEB unless there relate so how but reading the link lead me to believe not.
Posted on 2003-03-03 21:08:41 by Tweak
http://www.intel.com/design/Pentium4/manuals/245470.htm


That is Volume #1. You probably want all 3 volumes. You questions will be answered here.
Posted on 2003-03-03 23:39:39 by mrgone
hi,

keyoke, I was looking for info on the fs and gs registers not tib or TEB unless there relate so how but reading the link lead me to believe not.


well the FS register points to the TIB. so thought that mite help u. dunno about gs.
Posted on 2003-03-04 03:23:47 by keyoke
Don't know about w9x, but under NT/2000/XP...

fs:[0] points to KPCR structure (always maped at 0FFDFF000h address).

; base address 0FFDFF000h


KPCR STRUCT ; sizeof = 54h

; Start of the architecturally defined section of the PCR. This section
; may be directly addressed by vendor/platform specific HAL code and will
; not change from version to version of NT.

NtTib NT_TIB <>
SelfPcr PVOID ? ; 1Ch PTR KPCR flat address of this PCR
Prcb PKPRCB ? ; 20h pointer to Prcb
Irql BYTE ? ; 24h KIRQL
db 3 dup(?) ; padding
IRR DWORD ? ; 28h
IrrActive DWORD ? ; 2Ch
IDR DWORD ? ; 30h
Reserved2 DWORD ?

IDT PVOID ? ; 38h PTR KIDTENTRY
GDT PVOID ? ; 3Ch PTR KGDTENTRY
TSS PVOID ? ; 40h PTR KTSS
MajorVersion WORD ? ; 44h
MinorVersion WORD ? ; 46h
SetMember KAFFINITY ? ; 48h
StallScaleFactor DWORD ? ; 4Ch
DebugActive BYTE ? ; 50h
Number BYTE ? ; 51h
db 2 dup(?) ; padding
KPCR ENDS
PKPCR typedef PTR KPCR



fs:[120] points to KPRCB structure (always maped at 0FFDFF120h address).

; base address 0FFDFF120h


KPRCB STRUCT ; sizeof = 1Ch

; Major and minor version numbers of the PCR.

MinorVersion WORD ?
MajorVersion WORD ?

; Start of the architecturally defined section of the PRCB. This section
; may be directly addressed by vendor/platform specific HAL code and will
; not change from version to version of NT.

CurrentThread PVOID ? ; 04h PTR KTHREAD
NextThread PVOID ? ; 08h PTR KTHREAD
IdleThread PVOID ? ; 0Ch PTR KTHREAD
Number CHAR ? ; 10h
Reserved CHAR ? ; 11h
BuildType WORD ? ; 12h
SetMember KAFFINITY ? ; 14h

RestartBlock PVOID ? ; 18h PTR RESTART_BLOCK

KPRCB ENDS
PKPRCB typedef PTR KPRCB


Both structures defined in DDK headers.
Posted on 2003-03-04 03:44:58 by Four-F