I'm reading how SEH is implemented in Win32 and I came across this thing called the FS register. I couldn't find anything good on Google (most probably I may be searching for the wrong thing). So can anyone explain what it is?
The registers FS and GS are segment registers. They have no processor-defined purpose, but instead are given purpose by the OS's running them. In Windows 64-bit the GS register is used to point to operating system defined structures. FS and GS are commonly used by OS kernels to access thread-specific memory.
On the 80386, Windows uses the fs segment register to access a small block of memory that is associated with each thread, known as the Thread Environment Block, or TEB. To access memory relative to a specific segment register, you prefix the segment register and a colon to the memory reference.
So what you're seeing is a value loaded at an offset from the value held in the FS register, and not bit manipulation of the contents of the FS register. Specifically what's taking place, is that FS:0x28 on Linux is storing a special sentinel stack-guard value, and the code is performing a stack-guard check.
GS is a segment register, its use in linux can be read up on here (its basically used for per thread data). mov %gs:0x14,%eax xor %gs:0x14,%eax. this code is used to validate that the stack hasn't exploded or been corrupted, using a canary value stored at GS+0x14, see this.
It's a segment register. The x86 has six of them: CS, DS, ES, SS, FS and GS (FS and GS were new in 80386). The mnemonics come from their roles: code segment, data segment, extended segment (in fact, an auxiliary register), stack segment. These roles are hard-coded in the semantics of x86 assembly instructions. FS and GS are auxiliary like ES so they just bear the next letters after E.
In 32-bit protected mode as it's typically used (e.g., in Windows, Linux, *BSD), CS, DS, ES and SS are all set with a base of 0 and a limit of 4Gig, and memory protection is done only with page permissions. FS points to a Thread Information Block (TIB) in user mode and to Processor Control Region (KPCR) in kernel mode. Matt Pietrek wrote a pretty good article about it years ago that's still available on MSDN.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With