I'm doing some exploration work on win 7 x32 and here is what I've got:
Code: Select all
Then: kd> uf nt!PsGetCurrentProcess
nt!PsGetCurrentProcess:
8269a23c 64a124010000 mov eax,dword ptr fs:[00000124h]
8269a242 8b4050 mov eax,dword ptr [eax+50h]
8269a245 c3 ret
Code: Select all
Why do I get a whole plethora of stuff whereas I should probably exactly get the first line
kd> dps fs:00000124
0030:00000124 85e007d8
0030:00000128 00000000
0030:0000012c 82743280 nt!KiInitialThread
0030:00000130 00000100
0030:00000134 170a0106
0030:00000138 0001003f
0030:0000013c 00000000
0030:00000140 00000000
0030:00000144 00000000
0030:00000148 00000000
0030:0000014c 00000000
0030:00000150 00000000
0030:00000154 82a25ba9 hal!KfLowerIrql+0x61
0030:00000158 00000000
0030:0000015c 84bd1100
0030:00000160 94a7b138
0030:00000164 86a27a3d Ntfs!NtfsLookupNtfsMcbEntry+0x1d1
0030:00000168 94a7b298
0030:0000016c 84b66bd0
0030:00000170 84b9d0d8
0030:00000174 00000000
0030:00000178 00000000
0030:0000017c 00000000
0030:00000180 94a7b250
0030:00000184 86a2499b Ntfs!NtfsLookupAllocation+0x71
0030:00000188 84b66cb0
0030:0000018c 000011e8
0030:00000190 00000000
0030:00000194 94a7b2a0
0030:00000198 94a7b298
0030:0000019c 00000000
0030:000001a0 00000000
Code: Select all
And also, isn't nt!KiInitialThread supposed to reside at the aforementioned address? Checking with !thread -p I indeed confirm that the ETHREAD struct is at this particular address, but isn't this address supposed to resolve ot nt!KiInitialThread?0030:00000124 85e007d8Code: Select all
kd> !thread -p
PROCESS 857a2030 SessionId: 1 Cid: 07d0 Peb: 7ffdf000 ParentCid: 07ac
DirBase: 3ee87380 ObjectTable: 8cd3a008 HandleCount: 597.
Image: explorer.exe
THREAD 85e007d8 Cid 07d0.08ac Teb: 7ffa8000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
