flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > Interesting stuff
Author
Thread Post new topic Reply to topic
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Recently I just got into the process of handling my own exceptions, but before I start, I thought I'd do a little reading and I got something from wikipedia.

http://en.wikipedia.org/wiki/Win32_Thread_Information_Block

I like this part
Quote:

The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc.


Interesting huh ?
Post 10 Aug 2011, 14:51
View user's profile Send private message Reply with quote
idle



Joined: 06 Jan 2011
Posts: 359
Location: Ukraine
idle
observing own code with ollydbg on os-calls i saw fs:xxxx readings, and now i know what that is, thanks!
Post 10 Aug 2011, 15:40
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1413
Location: Toronto, Canada
AsmGuru62
Imagine if Microsoft will change TIB layout, so API works and 'direct' FS:XXXX manipulation fails! Probably far fetched, but it can happen.
Post 10 Aug 2011, 16:41
View user's profile Send private message Send e-mail Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Quote:

Imagine if Microsoft will change TIB layout, so API works and 'direct' FS:XXXX manipulation fails! Probably far fetched, but it can happen.

yup. Is till want to see FS in use but direct API, like the author said.

Maybe am gonna have to ask him/her how it can be done.
Post 10 Aug 2011, 17:30
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
PS: I was thinking, if one can access the whole memmory and enumerate all the code and data in there(ie. running programs), can you not use the method above(Win32 Thread Information Block) to get the basic info about each & every particular program, thus bypassing API ?

Hmm?....

Just another day in the computer virus lab.. Very Happy
Post 10 Aug 2011, 17:35
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.