Million

sum explanation     TIB & FS, GS Segment Register     TIB   (Thread Information Block)     TIB      ←     FS  (x86)             ←     GS  (x64)       typedef struct _NT_TIB {     PVOID    ExceptionList;     PVOID    StackBase;     PVOID    StackLimit;     PVOID    SubSystemTib;     PVOID    FiberData;     PVOID    ArbitraryUserPointer;     struct  _NT_TIB *Self; } NT_TIB;   typedef NT_TIB *PNT_TIB;     is in WinNT.h         Address Index ?   typedef struct _NT_TIB                 x86    x64 {                                      ------------     PVOID    ExceptionList;            0x000  0x000     PVOID    StackBase;                0x004  0x008     PVOID    StackLimit;               0x008  0x010     PVOID    SubSystemTib;             0x00C  0x018     PVOID    FiberData;                0x010  0x020     PVOID    ArbitraryUserPointer;     0x014  0x028     struct  _NT_TIB *Self;             0x018  0x030 } NT_TIB;         Real Address of TIB ?   fs:[0x018]     :x86 gs:[0x030]     :x64  

When Windows changed to 64-bit, the system folder name "System32" was kept the same. (The name is 32, but it is a 64-bit system folder used by 64-bit applications) When a 32-bit application accesses the system folder in 64-bit Windows, it is redirected to the 'SysWOW64' folder, not System32 (the system folder for 32-bit applications in 64-bit Windows is \Windows\SysWOW64).  

I Msinfo32.exe   Software Environment - System Drivers     List of loaded drivers :  [Started] "Yes" Kernel Driver List :  [Type] "Kernel Driver"   Driver File :  [File]     II Registry   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services   ACPI Driver   III Folder   C:\Windows\System32\drivers     ______________________________________________________________________________________________________ desc     View list of installed drivers     You can view the list of installed (registered) drivers by running Msinfo32.exe in the Run dialog box of the Start menu.   Software Environment - System Drivers       The list of currently loaded drivers is displayed as "Yes" in the Started column.   The type of driver can be checked through the Type column.  ex) "Kernel Driver"   The driver file (.sys) can be found through the File column.   Additionally, you can obtain information such as driver name, status, and startup mode.     The list of drivers dis

General register designations.    

____________________________________________________________________________________   When a process (program) is executed in Windows,   Windows creates a structure named  EPROCESS  in the kernel memory space to manage it,   and the  ETHREAD  structure is created together as many threads as the process uses.     And create substructures named  PCB  and  TCB , respectively.     EPROCESS - PCB (Process Control Block) ETHREAD  - TCB (Thread Control Block)     Since the above structures exist in the kernel area, they can only be accessed in kernel mode.     A structure called  PEB   TEB  is also created in the user memory space for the purpose of obtaining information easily in user mode (user program).     PEB: Process Environment Block TEB: Thread Environment Block       PEB           TEB                (user memory) --------------------------------------------------- EPROCESS|PCB  ETHREAD|TCB        (kernel memory)           You can use WinDbg's dt command to view the contents of t