The Thread Information Block (TIB) or Thread Environment Block (TEB) is a data structure in Win32 on x86 that stores information about the currently running thread. It descended from, and is backward-compatible on 32-bit systems with, a similar structure in OS/2.

The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating <code>GetLastError()</code>, <code>GetVersion()</code>. Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register on 32-bit Windows and GS on 64-bit Windows.

Contents of the TIB on Windows

This table is based on Wine's work on Microsoft Windows internals.

|-

| align="right" |pointer[]

|FS:[0xE10]

|GS:[0x1480]

|NT

|TLS slots, 4/8 bytes per slot, 64 slots

|-

| align="right" |8

|FS:[0xF10]

|GS:[0x1680]

|NT

|TLS links (<code>LIST_ENTRY</code> structure)

|-

| align="right" |4

|FS:[0xF18]

|GS:[0x1690]

|NT

|VDM

|-

| align="right" |4

|FS:[0xF1C]

|GS:[0x1698]

|NT

|Reserved for RPC

|-

| align="right" |4

|FS:[0xF28]

|GS:[0x16B0]

|NT

|Thread error mode (<code>RtlSetThreadErrorMode</code>)

|-

| align="right" |4

|FS:[0xF78]

|GS:[0x1748]

|NT

|Guaranteed stack bytes

|-

! colspan="5" | This is not the full table; see wine ref for all fields until FS:[0xfb4] / GS:[17c8].

|}

FS (for 32-bit) or GS (for 64-bit) maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.

Stack information stored in the TIB

A process should be free to move the stack of its threads as long as it updates the information stored in the TIB accordingly. A few fields are key to this matter: stack base, stack limit, deallocation stack, and guaranteed stack bytes, respectively stored at offsets <code>0x8</code>, <code>0x10</code>, <code>0x1478</code> and <code>0x1748</code> in 64 bits. Different Windows kernel functions read and write these values, specially to distinguish stack overflows from other read/write page faults (a read or write to a page guarded among the stack limits in guaranteed stack bytes will generate a stack-overflow exception instead of an access violation). The deallocation stack is important because Windows API allows to change the amount of guarded pages: the function <code>SetThreadStackGuarantee</code> allows both read the current space and to grow it. In order to read it, it reads the <code>GuaranteedStackBytes</code> field, and to grow it, it uses has to uncommit stack pages. Setting stack limits without setting <code>DeallocationStack</code> will probably cause odd behavior in <code>SetThreadStackGuarantee</code>. For example, it will overwrite the stack limits to wrong values. Different libraries call <code>SetThreadStackGuarantee</code>, for example the .NET CLR uses it for setting up the stack of their threads.

Accessing the TIB

The TIB of the current thread can be accessed as an offset of segment register FS (x86) or GS (x64).

It is not common to access the TIB fields by an offset from <code>FS:[0]</code>, but rather first getting a linear self-referencing pointer to it stored at <code>FS:[18h]</code>. That pointer can be used with pointer arithmetic or be cast to a struct pointer.

Using Microsoft Windows SDK or similar, a programmer could use an inline function defined in <code>winnt.h</code> named <code>NtCurrentTeb</code> which returns the address of the current Thread Information Block as <code>NT_TIB *</code>.

Alternative methods of access for IA-32 architectures are as follows:

<syntaxhighlight lang="c">

// gcc (AT&T-style inline assembly).

void *getTIB(void) {

register void *pTIB;

  1. if defined(__x86_64__) || defined(__amd64__)

__asm__("movq %%gs:0x30, %0" : "=r" (pTIB));

  1. elif defined(__i386__)

__asm__("movl %%fs:0x18, %0" : "=r" (pTIB));

  1. else
  2. error unsupported architecture
  3. endif

return pTIB;

}

</syntaxhighlight>

<syntaxhighlight lang="c">

// gcc (named address spaces, same as the inline assembly version on -O1 or -ftree-ter).

void *getTIB(void) {

  1. if defined(__x86_64__) || defined(__amd64__)
  2. ifndef __SEG_GS
  3. error unsupported GCC version
  4. endif

return *(void *__seg_gs *) 0x30;

  1. elif defined(__i386__)
  2. ifndef __SEG_FS
  3. error unsupported GCC version
  4. endif

return *(void *__seg_fs *) 0x18;

  1. else
  2. error unsupported architecture
  3. endif

}

</syntaxhighlight>

<syntaxhighlight lang="c">

// Microsoft C

__declspec(naked)

void *getTIB() {

__asm mov EAX, FS:[18h]

__asm ret

}

</syntaxhighlight>

<syntaxhighlight lang="c">

// Using Microsoft's intrinsics instead of inline assembly (works for both X86 and X64 architectures)

void *getTIB() {

  1. ifdef _M_IX86

return (void *)__readfsdword(0x18);

  1. elif _M_AMD64

return (void *)__readgsqword(0x30);

  1. else
  2. error unsupported architecture
  3. endif

}

</syntaxhighlight>

See also

  • Structured Exception Handling

References

</references>

Further reading

  • TEB layout on NTinternals.net
  • Structured Exception Handling and the TIB
  • Description of the first slots of the TIB
  • Description of TEB, field by field
  • TEB definitions for various Windows versions