windows TLS 反汇编
最近看了一段代码关于TLS的:
__declspec(thread) int t = 1;
int main()
{
t = 2;
return 0;
}
其反汇编代码如下:
_main:
push ebp
mov ebp,esp
mov eax,dword ptr [__tls_index]
mov ecx,dword ptr fs:[__tls_array]
mov edx,dword ptr [ecx+eax*4]
mov dword ptr _t[edx], 2
xor eax,eax
pop ebp
ret
(出处:程序员的自我修养)
谁能给我解释一下这段汇编代码吗?结合TLS实现更好
[解决办法]
_main:
push ebp
mov ebp,esp
mov eax,dword ptr [__tls_index] //取得线程中tls变量的索引,这里是t的索引
mov ecx,dword ptr fs:[__tls_array] //取出线程中tls变量数组的地址,每个线程的该地址
mov edx,dword ptr [ecx+eax*4] //均放在fs:[xxx]指定的位置
mov dword ptr _t[edx], 2 //设置其值为2
xor eax,eax
pop ebp
ret
+0x2c0 ExceptionCode : Int4B
+0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK
+0x2d0 SpareBytes : [24] UChar
+0x2e8 TxFsContext : Uint4B
+0x2f0 GdiTebBatch : _GDI_TEB_BATCH
+0x7d8 RealClientId : _CLIENT_ID
+0x7e8 GdiCachedProcessHandle : Ptr64 Void
+0x7f0 GdiClientPID : Uint4B
+0x7f4 GdiClientTID : Uint4B
+0x7f8 GdiThreadLocalInfo : Ptr64 Void
+0x800 Win32ClientInfo : [62] Uint8B
+0x9f0 glDispatchTable : [233] Ptr64 Void
+0x1138 glReserved1 : [29] Uint8B
+0x1220 glReserved2 : Ptr64 Void
+0x1228 glSectionInfo : Ptr64 Void
+0x1230 glSection : Ptr64 Void
+0x1238 glTable : Ptr64 Void
+0x1240 glCurrentRC : Ptr64 Void
+0x1248 glContext : Ptr64 Void
+0x1250 LastStatusValue : Uint4B
+0x1258 StaticUnicodeString : _UNICODE_STRING
+0x1268 StaticUnicodeBuffer : [261] Wchar
+0x1478 DeallocationStack : Ptr64 Void
+0x1480 TlsSlots : [64] Ptr64 Void
+0x1680 TlsLinks : _LIST_ENTRY
+0x1690 Vdm : Ptr64 Void
+0x1698 ReservedForNtRpc : Ptr64 Void
+0x16a0 DbgSsReserved : [2] Ptr64 Void
+0x16b0 HardErrorMode : Uint4B
+0x16b8 Instrumentation : [11] Ptr64 Void
+0x1710 ActivityId : _GUID
+0x1720 SubProcessTag : Ptr64 Void
+0x1728 EtwLocalData : Ptr64 Void
+0x1730 EtwTraceData : Ptr64 Void
+0x1738 WinSockData : Ptr64 Void
+0x1740 GdiBatchCount : Uint4B
+0x1744 CurrentIdealProcessor : _PROCESSOR_NUMBER
+0x1744 IdealProcessorValue : Uint4B
+0x1744 ReservedPad0 : UChar
+0x1745 ReservedPad1 : UChar
+0x1746 ReservedPad2 : UChar
+0x1747 IdealProcessor : UChar
+0x1748 GuaranteedStackBytes : Uint4B
+0x1750 ReservedForPerf : Ptr64 Void
+0x1758 ReservedForOle : Ptr64 Void
+0x1760 WaitingOnLoaderLock : Uint4B
+0x1768 SavedPriorityState : Ptr64 Void
+0x1770 SoftPatchPtr1 : Uint8B
+0x1778 ThreadPoolData : Ptr64 Void
+0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void
+0x1788 DeallocationBStore : Ptr64 Void
+0x1790 BStoreLimit : Ptr64 Void
+0x1798 MuiGeneration : Uint4B
+0x179c IsImpersonating : Uint4B
+0x17a0 NlsCache : Ptr64 Void
+0x17a8 pShimData : Ptr64 Void
+0x17b0 HeapVirtualAffinity : Uint4B
+0x17b8 CurrentTransactionHandle : Ptr64 Void
+0x17c0 ActiveFrame : Ptr64 _TEB_ACTIVE_FRAME
+0x17c8 FlsData : Ptr64 Void
+0x17d0 PreferredLanguages : Ptr64 Void
+0x17d8 UserPrefLanguages : Ptr64 Void
+0x17e0 MergedPrefLanguages : Ptr64 Void
+0x17e8 MuiImpersonation : Uint4B
+0x17ec CrossTebFlags : Uint2B
+0x17ec SpareCrossTebBits : Pos 0, 16 Bits
+0x17ee SameTebFlags : Uint2B
+0x17ee SafeThunkCall : Pos 0, 1 Bit
+0x17ee InDebugPrint : Pos 1, 1 Bit
+0x17ee HasFiberData : Pos 2, 1 Bit
+0x17ee SkipThreadAttach : Pos 3, 1 Bit
+0x17ee WerInShipAssertCode : Pos 4, 1 Bit
+0x17ee RanProcessInit : Pos 5, 1 Bit
+0x17ee ClonedThread : Pos 6, 1 Bit
+0x17ee SuppressDebugMsg : Pos 7, 1 Bit
+0x17ee DisableUserStackWalk : Pos 8, 1 Bit
+0x17ee RtlExceptionAttached : Pos 9, 1 Bit
+0x17ee InitialThread : Pos 10, 1 Bit
+0x17ee SpareSameTebBits : Pos 11, 5 Bits
+0x17f0 TxnScopeEnterCallback : Ptr64 Void
+0x17f8 TxnScopeExitCallback : Ptr64 Void
+0x1800 TxnScopeContext : Ptr64 Void
+0x1808 LockCount : Uint4B
+0x180c SpareUlong0 : Uint4B
+0x1810 ResourceRetValue : Ptr64 Void
如上所说teb在线程的FS:[0]上,再看一下一个具体进程中线程的teb内容(有截取):
!process ac0
Searching for Process with Cid == ac0
Cid handle table at fffff8a0022d9000 with 1116 entries in use
PROCESS fffffa8004e4b8e0
SessionId: 1 Cid: 0ac0 Peb: 7efdf000 ParentCid: 0a9c
DirBase: 3c876000 ObjectTable: fffff8a00fca0740 HandleCount: 1589.
Image: QQ.exe
VadRoot fffffa8004d46940 Vads 774 Clone 0 Private 13325. Modified 48265. Locked 0.
DeviceMap fffff8a002df4fc0
Token fffff8a0112b0060
ElapsedTime 00:31:44.152
UserTime 00:00:00.811
KernelTime 00:00:00.842
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (16935, 4130, 8260) (67740KB, 16520KB, 33040KB)
PeakWorkingSetSize 17302
VirtualSize 333 Mb
PeakVirtualSize 338 Mb
PageFaultCount 127131
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 16065
Job fffffa8004d3fce0
THREAD fffffa8004e50060 Cid 0ac0.06ec Teb: 000000007efdb000 Win32Thread: fffff900c1fbb8d0 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8004e56640 SynchronizationEvent
THREAD fffffa8004df4b50 Cid 0ac0.0aa8 Teb: 000000007efd8000
Win32Thread: fffff900c28a5830 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80064c1e90 SynchronizationEvent
Not impersonating
THREAD fffffa8004fce940 Cid 0ac0.0b78 Teb: 000000007efd5000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
THREAD fffffa8004f35b50 Cid 0ac0.0dd0 Teb: 000000007ef9d000 Win32Thread: fffff900c2b56420 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8004f31870 SynchronizationEvent
