views:

77

answers:

2
0040103A   CALL DWORD PTR DS:[40207A]                USER32.MessageBoxA

What does DS: mean?

+1  A: 

Memory addresses consist of a segment and an offset; DS is the "data segment" register.

Gintautas Miliauskas
+5  A: 

It means the instruction is referencing memory in the Data Segment - and can pretty much be ignored on modern OSes, since they run with a flat address space model (code, data and stack segments all refer to the same memory range, and memory protection is handled with paging).

EDIT:

A little elaboration - note that, to keep things simple, this is in the context of 32bit protected mode running Windows.

A segment register (CS,DS,SS,ES,FS,GS) holds a selector pointing to a descriptor. There's two descriptor tables: global (GDT) and local (LDT), and the selector has a bit indicating which to use. Windows (almost?) exclusively uses the global table.

A descriptor is basically a {beginning-address, size} pair - there's more to it, but that's outside the scope of this post.

Windows uses a Flat Memory Model: each process has a 4GB address space starting at memory address 0, and uses paging to isolate processes from eachother.

Since processes have this flat view of the world, they run with all segments using {0, 4GB} descriptors - and thus, instead of allocating per-process descriptors, Windows can use only a few global descriptors and have all processes use those.

EDIT 2:

The Portable Executable format defines sections, which are unrelated to the x86 segments - even if there's some conceptual overlap. The PE EXEs can have pretty much any section layout you wish, but the normal is to split into (at least) code (read/execute), data (read/write), resources (readonly?). Splitting the executable into sections makes it possible to apply x86 page-level memory protection to the memory ranges.

EDIT 3:

While the normal segments don't change per-process, Windows uses the FS register to point to the per-thread TIB structure.

EDIT 4:

See this for an overview. This is from an old document on the 80386, but the information still applies.

snemarch
How many Segment are there in PE?
wamp
PE executables have multiple **sections**, but these are unrelated to the x86 **segments**.
snemarch
I always thought they're the same thing, can you elaborate a little what the difference is?
wamp
@wamp: there, hope that answers your questions :)
snemarch
Is `GDT` pointed to by `GS` register ?
wamp
No, the CPU has internal GDTR/LDTR registers that are accessed via LGDT/SGDT, LLDT/SLDT instructions. FS and GS were extra segments introduced on the 80386 that have no intrinsic meaning to the CPU; names were chosen since we already had the ES ("*E*xtra" *S*egment).
snemarch
Can you explain what the segment descriptor says: `Z 1 DS 0023 32bit 0(FFFFFFFF)` dumped from ollydbg.
wamp
The "Z 1" part is not related to DS, but the vertical column showing the contents of EFLAGS. The rest is simple: the descriptor DS references has a base of 0 and limit of FFFFFFFF bytes :)
snemarch
What about `CS,DS,SS,ES`, are their values fixed during the application life time?
wamp
For all normal applications, yes.
snemarch
When can it change?
wamp
This is drifting quite off topic. Under normal circumstances, I haven't seen the segment registers change while running in user mode.
snemarch