Debugging with segment register FS

Question

I need to debug an application written in C that reads and writes to segment register FS. To debug this application I need to see the memory address where FS points to.

The application uses code like this:

mov rdx, fs:[rcx]
mov fs:[rcx], rsi

How do I get the linear virtual address of a read/write from/to segment registers? I can compile this application for either Linux or Winodws.

Windows uses FS for "per thread" variables, and the few times I've looked at the assembly code, it's converting FS:[...] into a regular virtual address. The current seed for rand() is one of those "per thread" variables, which is what I looked at. — rcgldr, Nov 13 '15 at 09:59
Related: http://stackoverflow.com/questions/6611346/how-are-the-fs-gs-registers-used-in-linux-amd64 — Ciro Santilli Путлер Капут 六四事, Nov 13 '15 at 13:05

score 4 · Accepted Answer · answered Nov 13 '15 at 13:05

4

On linux, you can use arch_prctl(ARCH_GET_FS, &fsbase). In windows, if the FS is pointing to the TEB as usual, you can read fs:[0x18] to get the base address, or use features of your debugger if available.

answered Nov 13 '15 at 13:05

Jester

54,538
4
72
115

Debugging with segment register FS

1 Answers1