1.Are all PE files and kernel mode driver programs(*.sys under the directory system32) were in Flat memory model?

2.FS and GS are really no use when we write win32 programs? I want to find that, so I selected some small programs and disassembled them, I found that FS was used! why? what's the use of these two strange registers?
you can dissemble calc.exe and you will find FS register was used at the beginning of the program!:
Posted on 2002-04-14 12:10:43 by Arthur_Chen
NT drivers (.sys drivers, called KMD, which are PE files) are flat.
VXDs can contain both 16 and 32bit code.

Afaik, GS is ununsed, but FS is used for a bunch of stuff, where the
most wellknown is SEH (Structured Exception Handling).
Posted on 2002-04-14 12:43:45 by f0dder

1.Are all PE files and kernel mode driver programs(*.sys under the directory system32) were in Flat memory model?

2.FS and GS are really no use when we write win32 programs? I want to find that, so I selected some small programs and disassembled them, I found that FS was used! why? what's the use of these two strange registers?
you can dissemble calc.exe and you will find FS register was used at the beginning of the program!:
FS points to the TIB (Thread Info Block):



ExceptionList [FS:0]
StackBase [FS:4]
StackLimit [FS:8]
SubSystemTib [FS:12]
FiberDataOrVersion [FS:16]
ArbitraryUserPointer [FS:20]
Self [FS:24]


The first is used for Structured Exception Handling, as f0dder already told you.

The 2nd and 3rd are used by Windows to kill your program if ESP is out of those limits. I very happily set them to 0 and to HEX 7FFFFFFF.

The following 3.. not much I can tell you.

The last is a flat pointer to where FS points to.
Posted on 2002-04-14 17:14:48 by Maverick
Also you should know that only part of the TIB is constant between
9x and NT (can't remember how much), and it is even named different
iirc :) (TEB vs. TIB I think)
Posted on 2002-04-14 17:28:22 by f0dder
Interesting.. does anybody have the complete info, please?

In my direct experience though the first 3 entries (the only ones I have a use for, currently) work on both 9x and 2000/XP.
Posted on 2002-04-14 17:51:44 by Maverick
Yes, the SEH-related entries are the same (might be some difference
in how values are handled perhaps, but if you put sane values
that shouldn't matter :P). I saw an article on TEB/TIB, prolly MSDN,
prolly by Matt Pietrek, but can't really remember the details.
Posted on 2002-04-14 17:56:50 by f0dder
Is it true that SEH is no longer used since XP.
Posted on 2002-04-14 19:03:19 by cmax
I very much doubt that as it would break a bunch of apps... but I think
I heard something about some new exception handling type in XP.
Posted on 2002-04-14 19:08:29 by f0dder
I found some nice articles about this topic in the "Under the hood" section at microsoft.

among others this struct definition:
typedef struct _TIB

{
PEXCEPTION_REGISTRATION_RECORD pvExcept; // 00h Head of exception record list
PVOID pvStackUserTop; // 04h Top of user stack
PVOID pvStackUserBase; // 08h Base of user stack

union // 0Ch (NT/Win95 differences)
{
struct // Win95 fields
{
WORD pvTDB; // 0Ch TDB
WORD pvThunkSS; // 0Eh SS selector used for thunking to 16 bits
DWORD unknown1; // 10h
} WIN95;

struct // WinNT fields
{
PVOID SubSystemTib; // 0Ch
ULONG FiberData; // 10h
} WINNT;
} TIB_UNION1;

PVOID pvArbitrary; // 14h Available for application use
struct _tib *ptibSelf; // 18h Linear address of TIB structure

union // 1Ch (NT/Win95 differences)
{
struct // Win95 fields
{
WORD TIBFlags; // 1Ch
WORD Win16MutexCount; // 1Eh
DWORD DebugContext; // 20h
DWORD pCurrentPriority; // 24h
DWORD pvQueue; // 28h Message Queue selector
} WIN95;

struct // WinNT fields
{
DWORD unknown1; // 1Ch
DWORD processID; // 20h
DWORD threadID; // 24h
DWORD unknown2; // 28h
} WINNT;
} TIB_UNION2;

PVOID* pvTLSArray; // 2Ch Thread Local Storage array

union // 30h (NT/Win95 differences)
{
struct // Win95 fields
{
PVOID* pProcess; // 30h Pointer to owning process database
} WIN95;
} TIB_UNION3;

} TIB, *PTIB;

Posted on 2002-04-15 13:11:36 by beaster
Hi beaster, thanks for the info. :)
Posted on 2002-04-15 16:59:22 by Maverick