1

Example A:

mov eax, dword ptr fs:[30h]
mov ebx, byte ptr [eax+2]
test ebx, ebx
jz NoDebuggerDetected

Example B:

mov eax, large fs:30h
mov eax, dword ptr [eax+18h]
cmp dword ptr ds:[eax+10h], 0
jne DebuggerDetected

Both according to book (Practical Malware Analysis) are suppose to access fs segment and check value within PEB, but second example: mov eax, large fs:30h is not dereferencing the fs:30h so why is this considered valid?

fs:30h stores pointer to PEB, so doing [eax+18h] would result in dereferencing fs + 48h which wouldn't dereference PEB and would be invalid?

Is my logic somehow wrong or does 'mov eax, large fs:30h' results in implicit dereference?

-Thanks

Caiman
  • 11
  • 2
  • I assume this IDA/IDA pro related but `mov eax, large fs:30h` is the same as `mov eax, large fs:[30h]`. The fact the brackets don't appear doesn't mean anything. That is similar to MASM which makes `[]` optional in many cases. I'm just guessing since I don't personally use the debuggers in question. – Michael Petch Mar 01 '20 at 21:11
  • I'm a bit surprised this would work `mov ebx, byte ptr [eax+2]` since that is moving a byte to a 32-bit register. I would have expected DWORD PTR. – Michael Petch Mar 01 '20 at 21:16
  • Maybe a duplicate of [Confusing brackets in MASM32](https://stackoverflow.com/q/25129743) (which uses MASM syntax, like this disassembly), although that doesn't mention the `large` keyword; IDK what that means. x86 machine code doesn't have any different way of encoding a 32-bit absolute address. (Although `mov` to EAX has 2 forms: ModRM encoding vs. `moffs32` absolute address without ModRM). But anyway, I'm sure it's just a 32-bit load into EAX from the address `fs:30h`. The presence of a segment register and `:` means it's a memory operand, not an immediate or just an Sreg. – Peter Cordes Mar 01 '20 at 22:37

0 Answers0