mov eax, large fs:30h

About

Asked 24/1, 2013 at 8:19 Answered 24/1, 2013 at 10:14

I was analyzing some x86 binary and found the following instruction which I can not understand. Can someone please explain me following instruction?

mov     eax, large fs:30h

I googled this, and it turns out it is some anti-debugging stuff... but that's all I know.

what does large means?? And what does fs:30 means??

I know about segmentation but I don't know when the fs register is used. For say cs:, ds: are implicitly skipped when instruction is referencing code or data. But what is fs, and what is gs?

Zeitler answered 24/1, 2013 at 8:19 Comment(2)

What platform? Are you running on Linux? – Abmho 24/1, 2013 at 8:26

See What is large dword? for that part of the question. The answers here only answer the use of fs for thread-local stuff. – Paranymph 14/10, 2018 at 14:36

Looks like it's Windows code, loading the address of the Process Environment Block (PEB), via the Thread Information Block, which can be accessed via the FS segment.

The PEB contains, amongest other things, a flag indicating if the process is being debugged.

MSDN has a page about it here

Pad answered 24/1, 2013 at 10:14 Comment(2)

Via Thread Environment Block (TEB) _TEB +0x030 ProcessEnvironmentBlock : Ptr32 _PEB Thread Information Block (TIB) _NT_TIB - first member of TEB +0x000 NtTib : _NT_TIB – Floriated 24/1, 2013 at 13:36

Yes, exactly. fs:[30] + 0xC = PEB_LDR_Data, + 0x0C = InMemoryOrderModuleList of loaded modules. Then you can explore their exports. – Escharotic 4/5, 2013 at 5:58

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags