Win32 Thread Information Block

Last updated December 09, 2024

The Thread Information Block (TIB) or Thread Environment Block (TEB) is a data structure in Win32 on x86 that stores information about the currently running thread. It descended from, and is backward-compatible on 32-bit systems with, a similar structure in OS/2.^[1]

The TIB is officially undocumented for Windows 9x. The Windows NT series DDK (as well as the MinGW/ReactOS implementation) includes a struct NT_TIB in winnt.h that documents the subsystem independent part. Even before TIB was effectively documented, many applications have already started using its fields that they are effectively a part of the API. The first field containing the SEH frame, in particular, is directly referenced by the code produced by Microsoft's own compiler.^[1] The Win32 subsystem-specific part of the TEB is undocumented, but Wine includes a TEB definition in winternl.h.^[2]

The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register on 32-bit Windows and GS on 64-bit Windows.

Contents of the TIB on Windows

This table is based on Wine's work on Microsoft Windows internals.^[2]

Bytes/ Type	offset (32-bit, FS)	offset (64-bit, GS)	Windows Versions	Description
pointer	FS:[0x00]	GS:[0x00]	Win9x and NT	Current Structured Exception Handling (SEH) frame Note: the 64-bit version of Windows uses stack unwinding done in kernel mode instead.
pointer	FS:[0x04]	GS:[0x08]	Win9x and NT	Stack Base / Bottom of stack (high address)
pointer	FS:[0x08]	GS:[0x10]	Win9x and NT	Stack Limit / Ceiling of stack (low address)
pointer	FS:[0x0C]	GS:[0x18]	NT	`SubSystemTib`
pointer	FS:[0x10]	GS:[0x20]	NT	Fiber data
pointer	FS:[0x14]	GS:[0x28]	Win9x and NT	Arbitrary data slot
pointer	FS:[0x18]	GS:[0x30]	Win9x and NT	Linear address of TEB
End of NT subsystem independent part; below are Win32-dependent
pointer	FS:[0x1C]	GS:[0x38]	NT	Environment Pointer
pointer	FS:[0x20]	GS:[0x40]	NT	Process ID (in some Windows distributions this field is used as `DebugContext`)
pointer	FS:[0x24]	GS:[0x48]	NT	Current thread ID
pointer	FS:[0x28]	GS:[0x50]	NT	Active RPC Handle
pointer	FS:[0x2C]	GS:[0x58]	Win9x and NT	Linear address of the thread-local storage array
pointer	FS:[0x30]	GS:[0x60]	NT	Linear address of Process Environment Block (PEB)
4	FS:[0x34]	GS:[0x68]	NT	Last error number
4	FS:[0x38]	GS:[0x6C]	NT	Count of owned critical sections
pointer	FS:[0x3C]	GS:[0x70]	NT	Address of CSR Client Thread
pointer	FS:[0x40]	GS:[0x78]	NT	Win32 Thread Information
124	FS:[0x44]	GS:[0x80]	NT, Wine	Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95&98), 0x74 = LastError (WinME)
pointer	FS:[0xC0]	GS:[0x100]	NT	Reserved for Wow64. Contains a pointer to `FastSysCall` in Wow64.
4	FS:[0xC4]	GS:[0x108]	NT	Current Locale
4	FS:[0xC8]	GS:[0x10C]	NT	FP Software Status Register
216	FS:[0xCC]	GS:[0x110]	NT, Wine	Reserved for OS (NT), kernel32 private data (Wine) herein: FS:[0x124] 4 NT Pointer to `KTHREAD` (`ETHREAD`) structure
4	FS:[0x1A4]	GS:[0x2C0]	NT	Exception code
18	FS:[0x1A8]	GS:[0x2C8]	NT	Activation context stack
24	FS:[0x1BC]	GS:[0x2E8]	NT, Wine	Spare bytes (NT), ntdll private data (Wine)
40	FS:[0x1D4]	GS:[0x300]	NT, Wine	Reserved for OS (NT), ntdll private data (Wine)
1248	FS:[0x1FC]	GS:[0x350]	NT, Wine	GDI TEB Batch (OS), vm86 private data (Wine)
4	FS:[0x6DC]	GS:[0x838]	NT	GDI Region
4	FS:[0x6E0]	GS:[0x840]	NT	GDI Pen
4	FS:[0x6E4]	GS:[0x848]	NT	GDI Brush
4	FS:[0x6E8]	GS:[0x850]	NT	Real Process ID
4	FS:[0x6EC]	GS:[0x858]	NT	Real Thread ID
4	FS:[0x6F0]	GS:[0x860]	NT	GDI cached process handle
4	FS:[0x6F4]	GS:[0x868]	NT	GDI client process ID (PID)
4	FS:[0x6F8]	GS:[0x86C]	NT	GDI client thread ID (TID)
4	FS:[0x6FC]	GS:[0x870]	NT	GDI thread locale information
20	FS:[0x700]	GS:[0x878]	NT	Reserved for user application
1248	FS:[0x714]	GS:[0x890]	NT	Reserved for GL (See wine ref for internals)^[2]
4	FS:[0xBF4]	GS:[0x1250]	NT	Last Status Value
532	FS:[0xBF8]	GS:[0x1258]	NT	Static `UNICODE_STRING` buffer
pointer	FS:[0xE0C]	GS:[0x1478]	NT	Also known as `DeallocationStack`, it establishes the real start address of the stack buffer, hence the real stack limit: it is a few pages less than the stack limit field (which hides the guard pages used to detect stack overflows).
pointer[]	FS:[0xE10]	GS:[0x1480]	NT	TLS slots, 4/8 bytes per slot, 64 slots
8	FS:[0xF10]	GS:[0x1680]	NT	TLS links (`LIST_ENTRY` structure)
4	FS:[0xF18]	GS:[0x1690]	NT	VDM
4	FS:[0xF1C]	GS:[0x1698]	NT	Reserved for RPC
4	FS:[0xF28]	GS:[0x16B0]	NT	Thread error mode (`RtlSetThreadErrorMode`)
4	FS:[0xF78]	GS:[0x1748]	NT	Guaranteed stack bytes
This is not the full table; see wine ref for all fields until FS:[0xfb4] / GS:[17c8].^[2] Newer Windows versions extend the size of TIB further, up to 0x1000/0x1838 in Windows 10. Some of the fields appended are removed, leading to conflicting definitions.^[3]

FS (for 32-bit) or GS (for 64-bit) maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.

Stack information stored in the TIB

A process should be free to move the stack of its threads as long as it updates the information stored in the TIB accordingly. A few fields are key to this matter: stack base, stack limit, deallocation stack, and guaranteed stack bytes, respectively stored at offsets 0x8, 0x10, 0x1478 and 0x1748 in 64 bits. Different Windows kernel functions read and write these values, specially to distinguish stack overflows from other read/write page faults (a read or write to a page guarded among the stack limits in guaranteed stack bytes will generate a stack-overflow exception instead of an access violation). The deallocation stack is important because Windows API allows to change the amount of guarded pages: the function SetThreadStackGuarantee allows both read the current space and to grow it. In order to read it, it reads the GuaranteedStackBytes field, and to grow it, it uses has to uncommit stack pages. Setting stack limits without setting DeallocationStack will probably cause odd behavior in SetThreadStackGuarantee. For example, it will overwrite the stack limits to wrong values. Different libraries call SetThreadStackGuarantee, for example the .NET CLR uses it for setting up the stack of their threads.

Accessing the TIB

The TIB of the current thread can be accessed as an offset of segment register FS (x86) or GS (x64).

It is not common to access the TIB fields by an offset from FS:[0], but rather first getting a linear self-referencing pointer to it stored at FS:[18h]. That pointer can be used with pointer arithmetic or be cast to a struct pointer.

Using Microsoft Windows SDK or similar, a programmer could use an inline function defined in winnt.h named NtCurrentTeb which returns the address of the current Thread Information Block as NT_TIB *.^[4]

Alternative methods of access for IA-32 architectures are as follows:

// gcc (AT&T-style inline assembly).void*getTIB(void){registervoid*pTIB;#if defined(__x86_64__) || defined(__amd64__)__asm__("movq %%gs:0x30, %0":"=r"(pTIB));#elif defined(__i386__)__asm__("movl %%fs:0x18, %0":"=r"(pTIB));#else#error unsupported architecture#endifreturnpTIB;}

// gcc (named address spaces, same as the inline assembly version on -O1 or -ftree-ter).void*getTIB(void){#if defined(__x86_64__) || defined(__amd64__)#ifndef __SEG_GS#error unsupported GCC version#endifreturn*(void*__seg_gs*)0x30;#elif defined(__i386__)#ifndef __SEG_FS#error unsupported GCC version#endifreturn*(void*__seg_fs*)0x18;#else#error unsupported architecture#endif}

// Microsoft C__declspec(naked)void*getTIB(){__asmmovEAX,FS:[18h]__asmret}

// Using Microsoft's intrinsics instead of inline assembly (works for both X86 and X64 architectures)void*getTIB(){#ifdef _M_IX86return(void*)__readfsdword(0x18);#elif _M_AMD64return(void*)__readgsqword(0x30);#else#error unsupported architecture#endif}

Related Research Articles

x86 is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. The 8086 was introduced in 1978 as a fully 16-bit extension of 8-bit Intel's 8080 microprocessor, with memory segmentation as a solution for addressing more memory than can be covered by a plain 16-bit address. The term "x86" came into being because the names of several successors to Intel's 8086 processor end in "86", including the 80186, 80286, 80386 and 80486. Colloquially, their names were "186", "286", "386" and "486".

The Windows API, informally WinAPI, is the foundational application programming interface (API) that allows a computer program to access the features of the Microsoft Windows operating system in which the program is running. Programs access API functionality via dynamic-link library (DLL) technology.

The Intel x86 computer instruction set architecture has supported memory segmentation since the original Intel 8086 in 1978. It allows programs to address more than 64 KB (65,536 bytes) of memory, the limit in earlier 80xx processors. In 1982, the Intel 80286 added support for virtual memory and memory protection; the original mode was renamed real mode, and the new version was named protected mode. The x86-64 architecture, introduced in 2003, has largely dropped support for segmentation in 64-bit mode.

x86 assembly language is the name for the family of assembly languages which provide some level of backward compatibility with CPUs back to the Intel 8008 microprocessor, which was launched in April 1972. It is used to produce object code for the x86 class of processors.

x86-64 is a 64-bit version of the x86 instruction set, first announced in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging mode.

In computing, a bus error is a fault raised by hardware, notifying an operating system (OS) that a process is trying to access memory that the CPU cannot physically address: an invalid address for the address bus, hence the name. In modern use on most architectures these are much rarer than segmentation faults, which occur primarily due to memory access violations: problems in the logical address or permissions.

DJ's GNU Programming Platform (DJGPP) is a software development suite for Intel 80386-level and above, IBM PC compatibles which supports DOS operating systems. It is guided by DJ Delorie, who began the project in 1989. It is a port of the GNU Compiler Collection (GCC), and mostly GNU utilities such as Bash, find, tar, ls, GAWK, sed, and ld to DOS Protected Mode Interface (DPMI). Supported languages include C, C++, Objective-C/C++, Ada, Fortran, and Pascal. It was originally called DJGCC, and was later renamed from DJGCC to DJGPP when C++ support was added, though the "PP" was said to stand for "Programming Platform" rather than "Plus Plus".

Valgrind is a programming tool for memory debugging, memory leak detection, and profiling.

<span class="mw-page-title-main">C99</span> C programming language standard, 1999 revision

C99 is a past version of the C programming language open standard. It extends the previous version (C90) with new features for the language and the standard library, and helps implementations make better use of available computer hardware, such as IEEE 754-1985 floating-point arithmetic, and compiler technology. The C11 version of the C programming language standard, published in 2011, updates C99.

In computer programming, an inline assembler is a feature of some compilers that allows low-level code written in assembly language to be embedded within a program, among code that otherwise has been compiled from a higher-level language such as C or Ada.

The Microsoft Macro Assembler (MASM) is an x86 assembler that uses the Intel syntax for MS-DOS and Microsoft Windows. Beginning with MASM 8.0, there are two versions of the assembler: One for 16-bit & 32-bit assembly sources, and another (ML64) for 64-bit sources only.

In computer science, a calling convention is an implementation-level (low-level) scheme for how subroutines or functions receive parameters from their caller and how they return a result. When some code calls a function, design choices have been taken for where and how parameters are passed to that function, and where and how results are returned from that function, with these transfers typically done via certain registers or within a stack frame on the call stack. There are design choices for how the tasks of preparing for a function call and restoring the environment after the function has completed are divided between the caller and the callee. Some calling convention specifies the way every function should get called. The correct calling convention should be used for every function call, to allow the correct and reliable execution of the whole program using these functions.

Stacks in computing architectures are regions of memory where data is added or removed in a last-in-first-out (LIFO) manner.

In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit, or in some cases software emulation of those features. However, technologies that emulate or supply an NX bit will usually impose a measurable overhead while using a hardware-supplied NX bit imposes no measurable overhead.

In computer programming, DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend. For example, the injected code could hook system function calls, or read the contents of password textboxes, which cannot be done the usual way. A program used to inject arbitrary code into arbitrary processes is called a DLL injector.

The Microsoft Windows family of operating systems employ some specific exception handling mechanisms.

The task state segment (TSS) is a structure on x86-based computers which holds information about a task. It is used by the operating system kernel for task management. Specifically, the following information is stored in the TSS:

This article describes the calling conventions used when programming x86 architecture microprocessors.

Memory ordering is the order of accesses to computer memory by a CPU. Memory ordering depends on both the order of the instructions generated by the compiler at compile time and the execution order of the CPU at runtime. However, memory order is of little concern outside of multithreading and memory-mapped I/O, because if the compiler or CPU changes the order of any operations, it must necessarily ensure that the reordering does not change the output of ordinary single-threaded code.

In computing, the red zone is a fixed-size area in a function's stack frame below the current stack pointer that is reserved and safe to use. It is most commonly used in leaf functions for allocating additional stack memory, without moving the stack pointer, which saves an instruction.

References

1 2 Pietrek, Matt (May 1996). "Under The Hood". Microsoft Systems Journal. Archived from the original on 2009-06-14. Retrieved 2010-07-07.
1 2 3 4 "wine winternl.h: typedef struct _TEB". GitHub. wine-mirror. 29 October 2019.
↑ Chapell, Geoff. "TEB".
↑ "NtCurrentTeb function". Microsoft Docs. Retrieved 20 November 2019.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Pietrek-May96-1] 1 2 Pietrek, Matt (May 1996). "Under The Hood". Microsoft Systems Journal. Archived from the original on 2009-06-14. Retrieved 2010-07-07.

[wine-winternl-2] 1 2 3 4 "wine winternl.h: typedef struct _TEB". GitHub. wine-mirror. 29 October 2019.

[3] Chapell, Geoff. "TEB".

[4] "NtCurrentTeb function". Microsoft Docs. Retrieved 20 November 2019.

[1]

[2]

[3]

[4]