I have found the following code in a 32-bit binary running on a windows 64-bit system :
mov eax,dword ptr fs:[18]
mov ecx,dword ptr [eax+F70]
mov eax,dword ptr [ecx+78]
ret
it seems that it returns the win32threadinfo address but i struggle to interpret the offsets due to the confusion 32-bit/64-bit. Is this correct ?
mov eax,dword ptr fs:[18] => eax = TIB address (32-bit interpretation)
mov ecx,dword ptr [eax+F70] => F70 offset undocumented in TIB ?
mov eax,dword ptr [ecx+78] => eax = win32threadinfo (64-bit interpretation)
WOW64 processes have two TEBs (and two PEBS). The 32-bit TEB (TEB32) is accessible through fs (and its linear address at [fs:0x18]) in the usual way and the native 64-bit TEB (TEB64) is accessible through a pointer at offset 0xf70 in the TEB32 (see this) or even through gs and [gs:0x30] (though this may be version specific).
The TEB32 of a WOW64 process is not completely identical to that of a real native 32-bit process.
So, your interpretation appears to be correct.