0

is it possible to find the RAX value from the following instruction(using static analysis only)

MOV RAX, qword ptr FS:[0x28]

without executing a program in gdb or any other compiler? I am using ghidra to perform static analysis in my windows VM,

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • 1
    `FS` points to the [TIB](https://en.wikipedia.org/wiki/Win32_Thread_Information_Block) on windows. Offset 0x28 seems to be "Active RPC Handle" whatever that means. In short, likely no. – Jester Sep 28 '21 at 14:47
  • 4
    If that's from a Linux executable, that's where GCC/clang keep the stack cookie for `-fstack-protector-strong`. It's initialized with a random number on process / thread startup; finding the value from outside the program would defeat the stack protector so they take care to avoid a predictable seed or number. – Peter Cordes Sep 28 '21 at 15:17
  • See also https://stackoverflow.com/questions/14414763/what-does-the-mov-rax-qword-ptr-fs0x28-assembly-instruction-do?lq=1 – fpmurphy Sep 28 '21 at 15:24
  • Even the base address of the `FS` (thread locale storage [Linux] / TIB [Windows]) segment cannot be found statically as the kernel choses a different address on every run. – fuz Sep 28 '21 at 15:48
  • 2
    I don't think it is Windows. `FS` is for 32-bit programs, and `FS:[0x28]` is a 32-bit TEB field., and there is 64-bit instruction – Alex Guteniev Sep 28 '21 at 15:55
  • That is a good point. "Windows VM" was slightly misleading. – Jester Sep 28 '21 at 16:58
  • Near duplicate of [Why does this memory address %fs:0x28 ( fs\[0x28\] ) have a random value?](https://stackoverflow.com/q/10325713) - it's randomized on startup – Peter Cordes May 24 '22 at 15:52

0 Answers0