Thursday, January 19, 2012

QnA -> What is FS

First off
1. I promise I will get the video out for Derbycon heap. I just got bored of doing editing so it is just sitting there raw right now.
2. I plan on updating and redoing the Journy into exploitation post to have some updated information and more content eventually.

Ok now the reason for this post, because I am so bad at posting or finishing posts on this blog and I have people asking for content I am going to attempt a new strategy. To help get information back out so people can learn and also help people along way I am going to start posting questions I get and the answers to them.
I am going to avoid posting questions on really easy topics and will usually link someone to a place to read on those topics but for topics that are either poorly documented or hard I will try to cover them. One of the major advantages for myself is if I don't know the answer it will give me something to do research on as well.

Topics i will cover.
Reverse Engineering:
Exploitation:
Security in general:

Preview question.

Q: What is FS?

I wrote a challenge some time back on Securabit podcast I am a part of as a fun exercise. The question came from someone trying to reverse this challenge.
The anti-debugging technique was accessing the PEB offset +68 to detect if the debugger is attached. This is set to 70 when a debugger is attached. To find the base address of PEB I accessed FS[30] and stored that in a register.
Ok I skimmed over some items there like why is it set to 70 and what is the PEB but that is not the question. The question is what is FS.?

FS is a segment register that was added with the release of protected x86 32bit operating systems. Typically, in win32, FS points to the base of the Thread Information Block of the current active thread in PEs.

To break this down even more when you commends such as 

mov EBX, DWORD PTR DS[EAX]

the DWORD pointer is saying start with base address of DS (another segment register) and add the value EAX to this and store that in EBX. so when I accessed

mov EAX, DWORD PTR FS[30]

I was saying take the value in FS and add 30 to that and return what is there. This address stores the Base of the PEB.

Few other notes on FS:
FS[0] stores the pointer to the first SEH in the link list. This is usually called when an exception occurs in code.

FS points to the current active thread. This means a single application with multiple threads will have multiple pointers to different Thread Blocks.

Challenge
Source for Challenge
Posted by Myneus at 9:14 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)