mov eax, large fs:30h

debugging assembly x86 ida mov
11,693

Looks like it's Windows code, loading the address of the Process Environment Block (PEB), via the Thread Information Block, which can be accessed via the FS segment.

The PEB contains, amongest other things, a flag indicating if the process is being debugged.

MSDN has a page about it here

Share:
11,693

Related videos on Youtube

daehee
Author by

daehee

Updated on June 04, 2022

Comments

  • daehee
    daehee 7 months

    I was analyzing some x86 binary and found the following instruction which I can not understand. Can someone please explain me following instruction?

    mov     eax, large fs:30h

    I googled this, and it turns out it is some anti-debugging stuff... but that's all I know.

    what does large means?? And what does fs:30 means??

    I know about segmentation but I don't know when the fs register is used. For say cs:, ds: are implicitly skipped when instruction is referencing code or data. But what is fs, and what is gs?

  • sergmat almost 10 years
    Via Thread Environment Block (TEB) _TEB +0x030 ProcessEnvironmentBlock : Ptr32 _PEB Thread Information Block (TIB) _NT_TIB - first member of TEB +0x000 NtTib : _NT_TIB
  • GalacticJello over 9 years
    Yes, exactly. fs:[30] + 0xC = PEB_LDR_Data, + 0x0C = InMemoryOrderModuleList of loaded modules. Then you can explore their exports.

Recents

Android studio - flutter: No Connected Devices
Are obs stream being closed automatically by GetxControllers?
Flutter - Implementing CSS radial gradients
What is the difference between ThemeData(primaryColor: Colors.red) and providing one with ColorScheme.primary
How to remove the background when clicking on the text of a link?
Flutter release APK:Invalid keystore format with Linux(deepin)
How can the blur filter be stopped from sampling colors surrounding a blurred image?
Flutter OpenContainer Animation behavior
How to set asterisk sign in flutter with top-right corner of string?
How to specify drag target for a certain widget Flutter (Single Draggable Being Dropped Into 3 Drag Targets Instead Of 1)
Error connecting to local Firebase functions emulator from Flutter app
In flutter my build apk file is not working properly

Related

x86 Instruction help: MOV [edx], eax
MOVing between two memory addresses
Difference between MOVDQA and MOVAPS x86 instructions?
How to loop in assembly language
How many byes is each instruction compiled to in x86 assembly?
How hard is it (really) to decompile assembly code?
How does the `test` instruction work?
x86 Linux assembler get program parameters from _start
assembly leal and movl difference
How is the x86 JAE instruction related to the carry flag?