interpreting the fs register in a 32-bit binary running on a windows 64-bit system

Question

I have found the following code in a 32-bit binary running on a windows 64-bit system :

mov eax,dword ptr fs:[18]
mov ecx,dword ptr [eax+F70]
mov eax,dword ptr [ecx+78]
ret

it seems that it returns the win32threadinfo address but i struggle to interpret the offsets due to the confusion 32-bit/64-bit. Is this correct ?

mov eax,dword ptr fs:[18]    => eax = TIB address (32-bit interpretation)
mov ecx,dword ptr [eax+F70]  => F70 offset undocumented in TIB ?
mov eax,dword ptr [ecx+78]   => eax = win32threadinfo (64-bit interpretation)

Answer 1

WOW64 processes have two TEBs (and two PEBS). The 32-bit TEB (TEB32) is accessible through fs (and its linear address at [fs:0x18]) in the usual way and the native 64-bit TEB (TEB64) is accessible through a pointer at offset 0xf70 in the TEB32 (see this) or even through gs and [gs:0x30] (though this may be version specific).

The TEB32 of a WOW64 process is not completely identical to that of a real native 32-bit process.

So, your interpretation appears to be correct.