Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
, the Win32 Thread Information Block (TIB) is a data structure
Data structure
In computer science, a data structure is a particular way of storing and organizing data in a computer so that it can be used efficiently.Different kinds of data structures are suited to different kinds of applications, and some are highly specialized to specific tasks...
in Win32 on x86 that stores info about the currently running thread
Thread (computer science)
In computer science, a thread of execution is the smallest unit of processing that can be scheduled by an operating system. The implementation of threads and processes differs from one operating system to another, but in most cases, a thread is contained inside a process...
. This structure is also known as the Thread Environment Block (TEB).
The TIB is officially undocumented for Windows 9x. The Windows NT series DDK includes a struct NT_TIB in winnt.h that documents the subsystem independent part. Wine
Wine (software)
Wine is a free software application that aims to allow computer programs written for Microsoft Windows to run on Unix-like operating systems. Wine also provides a software library, known as Winelib, against which developers can compile Windows applications to help port them to Unix-like...
includes declarations for the extended (subsystem-specific part of) TIB. Yet so many Win32 programs use these undocumented fields that they are effectively a part of the API
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
. The first field, in particular, is directly referenced by the code produced by Microsoft's own compiler.
The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError, GetVersion. Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc.
In computer science, a thread of execution is the smallest unit of processing that can be scheduled by an operating system. The implementation of threads and processes differs from one operating system to another, but in most cases, a thread is contained inside a process...
Thread-local storage is a computer programming method that uses static or global memory local to a thread.This is sometimes needed because normally all threads in a process share the same address space, which is sometimes undesirable...
In computing the Process Environment Block is a data structure in Win32. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system...
(PEB)
FS:[0x34]
4
NT
Last error number
FS:[0x38]
4
NT
Count of owned critical sections
FS:[0x3C]
4
NT
Address of CSR Client Thread
FS:[0x40]
4
NT
Win32 Thread Information
FS:[0x44]
124
NT, Wine
Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95), 0x74 = LastError (WinME)
FS:[0xC0]
4
NT
Reserved for Wow32
FS:[0xC4]
4
NT
Current Locale
FS:[0xC8]
4
NT
FP Software Status Register
FS:[0xCC]
216
NT, Wine
Reserved for OS (NT), kernel32 private data (Wine)
FS:[0x124]
4
NT
Pointer to KTHREAD (ETHREAD) structure
FS:[0x1A4]
4
NT
Exception code
FS:[0x1A8]
18
NT
Activation context stack
FS:[0x1BC]
24
NT, Wine
Spare bytes (NT), ntdll private data (Wine)
FS:[0x1D4]
40
NT, Wine
Reserved for OS (NT), ntdll private data (Wine)
FS:[0x1FC]
1248
NT, Wine
GDI TEB Batch (OS), vm86 private data (Wine)
FS:[0x6DC]
4
NT
GDI Region
FS:[0x6E0]
4
NT
GDI Pen
FS:[0x6E4]
4
NT
GDI Brush
FS:[0x6E8]
4
NT
Real Process ID
FS:[0x6EC]
4
NT
Real Thread ID
FS:[0x6F0]
4
NT
GDI cached process handle
FS:[0x6F4]
4
NT
GDI client process ID (PID)
FS:[0x6F8]
4
NT
GDI client thread ID (TID)
FS:[0x6FC]
4
NT
GDI thread locale information
FS:[0x700]
20
NT
Reserved for user application
FS:[0x714]
1248
NT
Reserved for GL
FS:[0xBF4]
4
NT
Last Status Value
FS:[0xBF8]
532
NT
Static UNICODE_STRING buffer
FS:[0xE0C]
4
NT
Pointer to deallocation stack
FS:[0xE10]
256
NT
TLS slots, 4 byte per slot
FS:[0xF10]
8
NT
TLS links (LIST_ENTRY structure)
FS:[0xF18]
4
NT
VDM
FS:[0xF1C]
4
NT
Reserved for RPC
FS:[0xF28]
4
NT
Thread error mode (RtlSetThreadErrorMode)
FS maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.
Accessing the TIB
The TIB can be accessed as an offset of segment register
Processor register
In computer architecture, a processor register is a small amount of storage available as part of a CPU or other digital processor. Such registers are addressed by mechanisms other than main memory and can be accessed more quickly...
FS.
It is not common to access the TIB fields by an offset from FS:[0], but rather first getting a linear self-referencing pointer to it stored at FS:[0x18]. That pointer can be used with pointer arithmetics or be cast to a struct pointer.
