What does this memory pattern pointing from the thread-local storage mean?

Question

An application I am currently looking add is using Threads and accessing something via the thread-local storage. It is compiled with Visual C++ (probably 6.0).

First question would be, where can I find more information what the thread-local storage contains? I haven't quite understood it yet.

This is the assembler code where the application reads a value from the thread-local storage.

MOV EAX,0
MOV ECX,DWORD PTR FS:[0x2C]
MOV EDX,DWORD PTR DS:[ECX + EAX * 4]
MOV EAX,DWORD PTR DS:[EDX+4]

EAX is a pointer which points on the following memory area which has a special pattern.

It basically looks like this:

52
P->...
P->...
5

52
P->...
P->...
5

52
P->...
P->...
5

I was wondering if this is some kind of standard data structure.

Answer 1

The area you're looking at is something specific to the program; it's not part of Windows structures.

The value at fs:[0x2C] is the TLS array - array of pointers to the thread-specific blocks of variables somewhere in the program's memory. Here's how a typical TLS access to a __declspec(thread) variable looks like:

mov eax, DWORD PTR __tls_index    ; load TLS index for current thread
mov ecx, DWORD PTR fs:__tls_array ; load the TLS array pointer (FS:[2Ch])
mov edx, DWORD PTR [ecx+eax*4]    ; fetch the pointer to the TLS block for current thread
mov eax, DWORD PTR [edx+4h]       ; load the thread variable at offset 4 in the TLS block

(The __tls_index variable is pointed to by the TlsIndex (aka AddressOfIndex) field of the PE TLS directory.)

The actual content of the TLS block is up to the program - the OS only makes sure that every thread gets a separate copy of the initial TLS template, and puts a pointer to it in the TLS array. So, to figure out what's in that memory chunk, you'll have to see how the program is using it.