Get linear address of FS:[0] in 32-bit protected mode / MSVC inline asm

Question

I used this instruction in Visual C++ inline assembly

lea eax, FS:[0]

Why did eax get a zero?

And how do I get the linear address of FS:[0]?

Answer 1

Assuming FS points to the Windows Thread Information Block (TIB), also known as the Thread Environment Block (TEB), you get the linear address of the TIB by reading the 32-bit value at fs:[0x18]. The best way to do this in Visual C++ is to use the __readfsdword intrinsic:

TEB *teb = (TEB *) __readfsdword(0x18);

Answer 2

The LEA instruction ("Load Effective Address") is badly named (e.g. should probably be called LEO/"Load Effective Offset") because it only calculates the offset within a segment.