9

The Thread Local Storage (TLS) contains static or global values for a thread. Those values can be very important to find reliable references to memory structures when the memory locations are not static.

I would like to get the Thread Local Storage of another process.

The TLS should be at [FS:0x2C] in the Thread Information Block (TIB). Though I quite don't understand how the FS register works. I guess I have to find the TIB Base address first? I think I can find it in the Thread Context I can get with WINAPI GetThreadContext, but I am a little bit overwhelmed.

samuirai
  • 3,079
  • 4
  • 23
  • 37

1 Answers1

8

You need to use GetThreadSelectorEntry().

Pseudocode:

GetThreadContext(hThread, &context);
GetThreadSelectorEntry(hThread, context.SegFs, &selectorEntry);
ReadProcessMemory(hProcess, (selectorEntry.BaseLow | (selectorEntry.HighWord.Bytes.BaseMid << 0x10) | (selectorEntry.HighWord.Bytes.BaseHi << 0x18)) + 0x2C, &pTLS, sizeof(pTLS), &numberOfBytesRead);

You can see the function GetProcessEntryPointAddress() here for some sample code that does something similar.

Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
  • thank you, it worked like a charm :) I didn't know GetThreadSelectorEntry() – samuirai Dec 07 '13 at 20:00
  • @jason-geffner 10 years have gone by and your link is now dead. You don't happen to have a copy of the content? The answers to such questions never get old :) – Benni Dec 28 '23 at 22:07
  • 1
    @Benni, you're in luck! See https://blogorama.nerdworks.in/content/images/nerdworks/downloads/myselfdel.c – Jason Geffner Feb 19 '24 at 21:04
  • thanks a lot! I found it hard to find commented sample code for it. – Benni Feb 19 '24 at 21:50