FS Register [Archive] - RCE Messageboard's Regroupment

View Full Version : FS Register

rijnahts

June 23rd, 2008, 11:26

Hi All,
I have a doubt on FS register. As we all knew that FS register address is
ffdff000.
Can we convert this address into physical address to get the contents of all offset from FS? so that i can dump all the FS:[X] values....

Thanks

Jakor

June 23rd, 2008, 14:48

FS:[18h] = linear address

Maximus

June 23rd, 2008, 17:45

You cant always deference FS -if you are in a debugger's context, you cannot access FS:18.

nice question, so this is the right answer (I strongly suggest you to study what it does)

Code:



DWORD GetSegBase(LDT_ENTRY &SelectorEntry)

{

   return (((DWORD)SelectorEntry.HighWord.Bytes.BaseHi) << 24) |

		  (((DWORD)SelectorEntry.HighWord.Bytes.BaseMid)<< 16) |

		  ((DWORD)SelectorEntry.BaseLow) ;

}



// get the linear address that the FS points to

bool GetThreadFSAddress(HANDLE ThreadHandle, int FsIndex, DWORD &LinearAddress)

{

   CONTEXT ThreadContext;

   LDT_ENTRY SelectorEntry;



   memset(&ThreadContext, 0, sizeof(ThreadContext));

   memset(&SelectorEntry, 0, sizeof(SelectorEntry));

   ThreadContext.ContextFlags = CONTEXT_SEGMENTS;

   if ( GetThreadContext(ThreadHandle, &ThreadContext) &&

		GetThreadSelectorEntry( ThreadHandle, ThreadContext.SegFs, &SelectorEntry) )

   {

	 LinearAddress = GetSegBase(SelectorEntry) + FsIndex;

	 return true;

   }

   return false;

}

darawk

June 23rd, 2008, 20:36

Also of note is that in Vista, FS no longer points to 0xFFDFF000. It now points into the .data section of the mapped ntoskrnl image, at a KPCR global variable. Further still, 64-bit vista for reasons unknown to me uses GS instead of FS for this purpose.