View Full Version : KiFastSystemCall adress
lborup
October 14th, 2008, 08:34
Hi
Being a complete newbie playing around with a disassembler, i am wondering about the following issue when i look at ntdll.dll:
The KiFastSystemCall procedure is located at 7C90E4F2, but the functions that want so enter kernel mode calls 7FFE0300h, which appear to be outside the scope of the dll.
Could anybody explain this to me?
Regards,
Lasse
Camus SoNiCo
October 14th, 2008, 10:16
I'm sorry but at that location, I see NtSetContextThread. That function is not calling 7FFE0300h, but the address located there:
7C90E4F7 mov edx,7FFE0300h
7C90E4FC call dword ptr [edx]
That would be [7FFE0300h] = 7c90eb8b -> And this would be KiFastSystemCall
deroko
October 14th, 2008, 11:58
It's part of UserSharedData, memory which is mapped in all processes. at 7FFE0000 is located struct KUSER_SHARED_DATA:
Code:
+0x300 SystemCall : Uint4B
+0x304 SystemCallReturn : Uint4B
+0x308 SystemCallPad : [3] Uint8B
in other words call dword ptr[edx] is actually call dword ptr[7FFE0000+KUSER_SHARED_DATA.SystemCall] which is address where is located sysenter in ntdll
lborup
October 15th, 2008, 02:19
Thanks for the quick replies, guess i should read on in my "Windows Internals" about shared memory.
Best Regards,
Lasse
aionescu
October 20th, 2008, 10:54
Quote:
[Originally Posted by deroko;77363]It's part of UserSharedData, memory which is mapped in all processes. at 7FFE0000 is located struct KUSER_SHARED_DATA:
Code:
+0x300 SystemCall : Uint4B
+0x304 SystemCallReturn : Uint4B
+0x308 SystemCallPad : [3] Uint8B
in other words call dword ptr[edx] is actually call dword ptr[7FFE0000+KUSER_SHARED_DATA.SystemCall] which is address where is located sysenter in ntdll |
Or SYSCALL or INT 2E depending on your machine.
Powered by vBulletin® Version 4.2.2 Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.