The TEB on 32-bit Windows is located at fs:[0x0018]. What exactly is found in those 24 bytes between fs:0 and fs:0x18? (Yes, I know this undocumented and subject to change, but it'd be interesting to know...)
Asked
Active
Viewed 4,089 times
3
-
You can find some info on [Wikipedia](http://en.wikipedia.org/wiki/Win32_Thread_Information_Block#Contents_of_the_TIB_.2832-bit_Windows.29) – ST3 Oct 08 '14 at 13:41
1 Answers
3
It is start of Thread Information Block at FS:[0]. The very first field of this structure is Current Structured Exception Handling (SEH) frame.
Thus, at FS:[0] is the pointer to ExceptionList
It is pointer to Exception Callback Functions linked list head.
BTW it is pretty documented and everything from FS:[0] to FS:[0x1C] (excluding) is not part of change, it is very basic structure, MS would not change it in NT OSes.
Andrey
- 59,039
- 12
- 119
- 163
-
Ah - so the TEB is contained with (or located immediately after, anyway) the TIB then. – bdonlan Jan 11 '11 at 12:51