Questions about FS registers

Ring3 applicationsProgram, FS: [0] The address points to the Teb structure. This structure starts with an nt_tib structure. The 0x18 offset of the nt_tib structure is a self pointer pointing to the structure itself, that is, it points to the beginning of the Teb structure.
The 0x30 offset of the Teb structure is a pointer to peb. Peb is a structure. The 0x2 offset of this structure is a uchar named beingdebugged. when the process is debugged, this value is 1, and this value is 0 if it is not debugged.

Therefore, the followingCodeResult After row-by-row execution:
MoV eax, dword ptr fs: [18 h]; eax = Teb pointer
MoV eax, dword ptr [eax + 30 h]; eax = peb pointer
Movzx eax, byte PTR [eax + 2 H]; eax = peb. beingdebugged (byte is extended to DWORD)

The detailed content of the Teb and peb structures can be viewed by running the dt _ Teb and dt _ peb commands in the windbg kernel debugging status.

In MASM, the default value is FS: error, that is, the FS segment register cannot be used by default. Therefore, assume FS: nothing must be used in MASM.
FS is a segment register, that is, the storage segment Selection Sub-, the corresponding address through the corresponding project in gdt or LDT to determine its scope and use permissions.

Finally, return to isdebuggerpresent, which is to check the beingdebugged field in peb to determine whether the process is in the debug State. Therefore, modifying this field can directly affect the return value of this API.