A forum for reverse engineering, OS internals and malware analysis 

KUSER_SHARED_DATA

Forum for discussion about user-mode development.

KUSER_SHARED_DATA

 #20949  by Xearinox
 Tue Sep 24, 2013 2:58 pm
Hello.

How to access KUSER_SHARED_DATA structure directly from usermode?

Thanks.

Re: KUSER_SHARED_DATA

 #20951  by rinn
 Tue Sep 24, 2013 3:08 pm
Hello.

Cast it as a structure pointer with absolute address.

Best Regards
-rin

Re: KUSER_SHARED_DATA

 #20953  by Xearinox
 Tue Sep 24, 2013 3:19 pm
Hello rinn, thanks for response, do you mean something like this:
Code: Select all
KUSER_SHARED_DATA* kusd = (KUSER_SHARED_DATA*)0x7FFE0000;


???

Re: KUSER_SHARED_DATA

 #20954  by EP_X0FF
 Tue Sep 24, 2013 3:37 pm
It is R/O memory region of a PAGE_SIZE mapped at fixed address in user mode. Just use it address as a pointer like rinn already said. This doesn't working for you?

Re: KUSER_SHARED_DATA

 #20956  by Xearinox
 Tue Sep 24, 2013 4:33 pm
Yes I know that address is in the fixed address in all Windows NT+ versions.

But working with memory is my weakness. :-(

I ask because, if it is read only memory mapped in every process, is this struct members 100% accurate, for example can we will assume, that no USERMODE process can not change this?

Re: KUSER_SHARED_DATA

 #20962  by TheExecuter
 Tue Sep 24, 2013 8:41 pm
usermode processes can;

vprotect(....,0x40,&oldprotect)
writeprocessmemory(...)
vprotect(....,oldprotect,&temp)

so yes.
 Return to “User-Mode Development”