In computing, the Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores information about the currently running thread. This structure is also known as the Thread Environment Block (TEB).
The TIB is officially undocumented for Windows 9x. The Windows NT series DDK includes a struct NT_TIB in winnt.h that documents the subsystem independent part. Wine includes [https://github.com/wine-mirror/wine/blob/d744f367d263a131feee96e103fb8220e8400b53/include/winternl.h#L347 header declarations] for the extended (subsystem-specific part of) TIB. Yet so many Win32 programs use these undocumented fields that they are effectively a part of the API. The first field, in particular, is directly referenced by the code produced by Microsoft's own compiler.
The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc. It is accessed from the FS segment register when operating on 32 bits, and from GS in 64 bits.
Contents of the TIB on Windows
Bytes/
Type
offset
(32 bits, FS)
offset
(64 bits, GS)
Windows Versions
Description
pointer
FS:[0x00]
GS:[0x00]
Win9x and NT
Current Structured Exception Handling (SEH) frame
pointer
FS:[0x04]
GS:[0x08]
Win9x and NT
Stack Base / Bottom of stack (high address)
pointer
FS:[0x08]
GS:[0x10]
Win9x and NT
Stack Limit / Ceiling of stack (low address)
pointer
FS:[0x0C]
GS:[0x18]
NT
SubSystemTib
pointer
FS:[0x10]
GS:[0x20]
NT
Fiber data
pointer
FS:[0x14]
GS:[0x28]
Win9x and NT
Arbitrary data slot
pointer
FS:[0x18]
GS:[0x30]
Win9x and NT
Linear address of TEB
---- End of NT subsystem independent part ----
pointer
FS:[0x1C]
GS:[0x38]
NT
Environment Pointer
pointer
FS:[0x20]
GS:[0x40]
NT
Process ID (in some windows distributions this field is used as 'DebugContext')
4
FS:[0x24]
GS:[0x48]
NT
Current thread ID
4
FS:[0x28]
GS:[0x50]
NT
Active RPC Handle
4
FS:[0x2C]
GS:[0x58]
Win9x and NT
Linear address of the thread-local storage array
4
FS:[0x30]
GS:[0x60]
NT
Linear address of Process Environment Block (PEB)
4
FS:[0x34]
GS:[0x68]
NT
Last error number
4
FS:[0x38]
NT
Count of owned critical sections
4
FS:[0x3C]
NT
Address of CSR Client Thread
4
FS:[0x40]
NT
Win32 Thread Information
124
FS:[0x44]
NT, Wine
Win32 client information (NT), user32 private data (Wine), 0x60 = LastError (Win95), 0x74 = LastError (WinME)
4
FS:[0xC0]
NT
Reserved for Wow64. Contains a pointer to FastSysCall in Wow64.
4
FS:[0xC4]
NT
Current Locale
4
FS:[0xC8]
NT
FP Software Status Register
216
FS:[0xCC]
NT, Wine
Reserved for OS (NT), kernel32 private data (Wine) herein: FS:[0x124] 4 NT Pointer to KTHREAD (ETHREAD) structure
4
FS:[0x1A4]
NT
Exception code
18
FS:[0x1A8]
NT
Activation context stack
24
FS:[0x1BC]
NT, Wine
Spare bytes (NT), ntdll private data (Wine)
40
FS:[0x1D4]
NT, Wine
Reserved for OS (NT), ntdll private data (Wine)
1248
FS:[0x1FC]
NT, Wine
GDI TEB Batch (OS), vm86 private data (Wine)
4
FS:[0x6DC]
NT
GDI Region
4
FS:[0x6E0]
NT
GDI Pen
4
FS:[0x6E4]
NT
GDI Brush
4
FS:[0x6E8]
NT
Real Process ID
4
FS:[0x6EC]
NT
Real Thread ID
4
FS:[0x6F0]
NT
GDI cached process handle
4
FS:[0x6F4]
NT
GDI client process ID (PID)
4
FS:[0x6F8]
NT
GDI client thread ID (TID)
4
FS:[0x6FC]
NT
GDI thread locale information
20
FS:[0x700]
NT
Reserved for user application
1248
FS:[0x714]
NT
Reserved for GL
4
FS:[0xBF4]
GS:[0x1250]
NT
Last Status Value
532
FS:[0xBF8]
GS:[0x1258]
NT
Static UNICODE_STRING buffer
pointer
FS:[0xE0C]
GS:[0x1478]
NT
Also known as DeallocationStack, it establishes the real start address of the stack buffer, hence the real stack limit: it is a few pages less than the stack limit field (which hides the guard pages used to detect stack overflows).
pointer[]
FS:[0xE10]
GS:[0x1480]
NT
TLS slots, 4/8 bytes per slot, 64 slots
8
FS:[0xF10]
GS:[0x1680]
NT
TLS links (LIST_ENTRY structure)
4
FS:[0xF18]
NT
VDM
4
FS:[0xF1C]
NT
Reserved for RPC
4
FS:[0xF28]
NT
Thread error mode (RtlSetThreadErrorMode)
FS maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.
Note: The above description ONLY refers to 32-bit Windows on x86. On x86-64 (64-bit) Windows, GS (and not FS) is used as the segment register that points to the TIB. Additionally some of the variable slots in the structure above have a different size (typically 8 instead of 4 bytes for pointer-sized data slots).
Accessing the TIB
The TIB of the current thread can be accessed as an offset of segment register FS (x86) or GS (x64).
It is not common to access the TIB fields by an offset from FS:[0], but rather first getting a linear self-referencing pointer to it stored at FS:[0x18]. That pointer can be used with pointer arithmetics or be cast to a struct pointer.
[https://www.nirsoft.net/kernel_struct/vista/NT_TIB.html Description of the first slots of the TIB]
[https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/teb/index.htm Description of TEB, field by field]
[https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/_TEB TEB definitions for various Windows versions]
3 : Windows NT architecture|Microsoft application programming interfaces|Threads (computing)