In computing, the Win32 Thread Information Block (TIB) is a data structure in Win32 on x86 that stores information about the currently running thread. This structure is also known as the Thread Environment Block (TEB).
Contents
The TIB is officially undocumented for Windows 9x. The Windows NT series DDK includes a struct NT_TIB in winnt.h that documents the subsystem independent part. Wine includes declarations for the extended (subsystem-specific part of) TIB. Yet so many Win32 programs use these undocumented fields that they are effectively a part of the API. The first field, in particular, is directly referenced by the code produced by Microsoft's own compiler.
The TIB can be used to get a lot of information on the process without calling Win32 API. Examples include emulating GetLastError(), GetVersion(). Through the pointer to the PEB one can obtain access to the import tables (IAT), process startup arguments, image name, etc.
Contents of the TIB (32-bit Windows)
FS maps to a TIB which is embedded in a data block known as the TDB (thread data base). The TIB contains the thread-specific exception handling chain and pointer to the TLS (thread local storage.) The thread local storage is not the same as C local storage.
Note: The above description ONLY refers to 32-bit Windows on x86. On x86-64 (64-bit) Windows, GS (and not FS) is used as the segment register that points to the TIB. Additionally some of the variable slots in the structure above have a different size (typically 8 instead of 4 bytes for pointer-sized data slots).
Accessing the TIB
The TIB of the current thread can be accessed as an offset of segment register FS (x86) or GS (x64).
It is not common to access the TIB fields by an offset from FS:[0], but rather first getting a linear self-referencing pointer to it stored at FS:[0x18]. That pointer can be used with pointer arithmetics or be cast to a struct pointer.
Example in C inlined-assembly for 32-bit x86: