It seems that Windows 8 broke Ollydbg as several ntdll functions keep throwing exception 0xC0000008 and crashing my debugger.
I am now using Windbg. But, I am unable to view FS (specifically FS:[0]). How can I get a dump of FS via Windbg? I've tried googling to no avail. I am specifically interested in SEH, but all I can find is dumping TEB or PEB.
If you're looking to find the base address of a segment based on its selector, you can use dg<selector>; in this context you would use dg fs:
0:000> dg fs
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
003B 7ffdf000 00000fff Data RW Ac 3 Bg By P Nl 000004f3
You can see above that the Base of fs is 7ffdf000, so FS:[0] == [7ffdf000].
0:000> db 7ffdf000
7ffdf000 1c f7 1d 00 00 00 1e 00-00 f0 1c 00 00 00 00 00 ................
7ffdf010 00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 ................
7ffdf020 0c 13 00 00 bc 0f 00 00-00 00 00 00 2c f0 fd 7f ............,...
7ffdf030 00 a0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
7ffdf040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
7ffdf050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
7ffdf060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
7ffdf070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
SEH chain can be viewed in WinDbg by issuing !exchain command.
0:000> !exchain # display the SEH chain
0012ffb0: wireshark!_except_handler4+0 (00522555)
0012ffe0: kernel32!_except_handler3+0 (7c839ac0)
CRT scope 0, filter: kernel32!BaseProcessStart+29 (7c843882)
func: kernel32!BaseProcessStart+3a (7c843898)
Invalid exception stack at ffffffff
FS:[0] is the pointer to the start of SEH chain. You can walk through the output produced by !exchain to find FS:[0]
If your intersted in viewing SEH, consider using pydbg SEH unwinding for that kind of purposes.
