Results 1 to 4 of 4

Thread: FS Register

  1. #1

    FS Register

    Hi All,
    I have a doubt on FS register. As we all knew that FS register address is
    ffdff000.
    Can we convert this address into physical address to get the contents of all offset from FS? so that i can dump all the FS:[X] values....

    Thanks

  2. #2
    Jakor
    Guest
    FS:[18h] = linear address
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    You cant always deference FS -if you are in a debugger's context, you cannot access FS:18.

    nice question, so this is the right answer (I strongly suggest you to study what it does)

    Code:
    DWORD GetSegBase(LDT_ENTRY &SelectorEntry)
    {
       return (((DWORD)SelectorEntry.HighWord.Bytes.BaseHi) << 24) |
    		  (((DWORD)SelectorEntry.HighWord.Bytes.BaseMid)<< 16) |
    		  ((DWORD)SelectorEntry.BaseLow) ;
    }
    
    // get the linear address that the FS points to
    bool GetThreadFSAddress(HANDLE ThreadHandle, int FsIndex, DWORD &LinearAddress)
    {
       CONTEXT ThreadContext;
       LDT_ENTRY SelectorEntry;
    
       memset(&ThreadContext, 0, sizeof(ThreadContext));
       memset(&SelectorEntry, 0, sizeof(SelectorEntry));
       ThreadContext.ContextFlags = CONTEXT_SEGMENTS;
       if ( GetThreadContext(ThreadHandle, &ThreadContext) &&
    		GetThreadSelectorEntry( ThreadHandle, ThreadContext.SegFs, &SelectorEntry) )
       {
    	 LinearAddress = GetSegBase(SelectorEntry) + FsIndex;
    	 return true;
       }
       return false;
    }
    Last edited by Maximus; June 23rd, 2008 at 17:48. Reason: bah, code tags...
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  4. #4
    Also of note is that in Vista, FS no longer points to 0xFFDFF000. It now points into the .data section of the mapped ntoskrnl image, at a KPCR global variable. Further still, 64-bit vista for reasons unknown to me uses GS instead of FS for this purpose.

Similar Threads

  1. Got SERIAL..Still Can't Register?!!
    By zkhan123 in forum The Newbie Forum
    Replies: 2
    Last Post: March 19th, 2004, 18:31
  2. Keygen makes front page of The Register
    By disavowed in forum Off Topic
    Replies: 2
    Last Post: September 25th, 2003, 06:04
  3. Register contents at exe startup......
    By +SplAj in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: May 13th, 2001, 03:46
  4. Is there a way to break on a Register access?
    By Kayaker in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: December 9th, 2000, 03:46

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •