1

I am analyzing a disassembled dll and got stuck on the line

mov ebx,fs:[00000004h]

I want to find out the exact physical address of the data that is written into ebx with this instruction. gdb tells me that fs = 0x53.

I already found out that the address depends on the mode (protected or real), and I'm pretty sure the CPU is in protected mode (see *). So the start of segment fs should be stored somewhere in the GDT, right? I also found out the address of the GDT-register (0x009bd5c0007f), but gdb doesn't let me access or read the register, so I don't know how to find out the physical address of fs (and, therefore, of fs:[00000004h]).

Can anybody help me please?

I used the instruction smsw ax, and after that eax was 0x280031. So the last bit is 1, which means protected mode. Did I get that right?

nrz
  • 10,435
  • 4
  • 39
  • 71
Nukualofa
  • 11
  • 2

2 Answers2

2

Yes, it's protected mode.

And you probably found the virtual address of the GDT by using the SGDT instruction.

That address, however, is unlikely to be useful since you can read the memory at that address only from code executing in the OS kernel (could be a kernel mode driver).

You need to find a way to read the memory of interest from inside the kernel.

Alexey Frunze
  • 61,140
  • 12
  • 83
  • 180
0

Since you're mentioning a DLL, I assume it's all on Windows. On Windows, FS is known to point at the thread information block (TIB). At offset 4, there's the pointer to the top of stack. The code loads it into EBX, that's it.

The value of FS does not matter, nor you need to poke around GDT. It's a documented part of the API.

Seva Alekseyev
  • 59,826
  • 25
  • 160
  • 281