{"id":102428,"date":"2019-04-18T07:00:00","date_gmt":"2019-04-18T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=102428"},"modified":"2019-06-06T17:44:10","modified_gmt":"2019-06-07T00:44:10","slug":"20190418-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20190418-00\/?p=102428","title":{"rendered":"How arbitrary is the ArbitraryUserPointer in the TEB?"},"content":{"rendered":"<p>There&#8217;s a member of the <code>NT_TIB<\/code> structure called <code>Arbitrary&shy;User&shy;Pointer<\/code>. <\/p>\n<pre>\ntypedef struct _NT_TIB {\n    struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList;\n    PVOID StackBase;\n    PVOID StackLimit;\n    PVOID SubSystemTib;\n    PVOID FiberData;\n    PVOID ArbitraryUserPointer;\n    struct _NT_TIB *Self;\n} NT_TIB;\n<\/pre>\n<p>How arbitrary is this value? Can I use it for anything I want? <\/p>\n<p>This is another case of <a HREF=\"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/20110512-00\/?p=10683\">looking at the world through kernel-colored glasses<\/a>. The <code>Arbitrary&shy;User&shy;Pointer<\/code> is arbitrary from the kernel&#8217;s point of view, but that doesn&#8217;t mean that it&#8217;s available for anybody to use. The <code>User<\/code> here means &#8220;user-mode&#8221;. The kernel is saying, &#8220;Dude, like, here&#8217;s a value for user-mode to use however it sees fit. I really don&#8217;t care.&#8221; <\/p>\n<p>But user-mode might care. <\/p>\n<p>In practice, the user-mode loader uses the <code>Arbitrary&shy;User&shy;Pointer<\/code> to <a HREF=\"http:\/\/www.nynaeve.net\/?p=98\">pass information to the debugger<\/a>. It&#8217;s not a random place for programs to stash data. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Another identifier defined with kernel-colored glasses.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-102428","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>Another identifier defined with kernel-colored glasses.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/102428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=102428"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/102428\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=102428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=102428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=102428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}