stackoom
  简体   繁体   中英

Windows virtual memory and kernel mode

 原文  2014-04-30 19:27:49       c++/ c/ windows/ memory/ internals

Question

I know that in 32-bit architecture the kernel mode virtual memory is mapped between 0x80000000 and 0xFFFFFFFF .

It contains some structures as EPROCESS , ETHREAD ... etc and also the page directories and tables for the current process.

While trying to fetch the virtual address of a certain function is ntoskrnl let's say "nt!NtReadFile" I find that's it's mapped in the kernel virtual address 0x89421130 for example.

I tried to patch some nops after the RET with a random instruction and when switching to another process context I found that the instruction I put is still there.

Does that mean that virtual memory where Ntoskrnl is loaded stays unchanged in every process virtual address space ?

Thanks.

1 answers

solution1
 3 ACCPTED  2014-04-30 20:34:58

Does that mean that virtual memory where Ntoskrnl is loaded stays unchanged in every process virtual address space?

Yes. There is one copy of the kernel in memory on a running Windows system, and the exact same kernel address space (ie 0x80000000-0xFFFFFFFF on 32-bit) is mapped into every process.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Shared Memory Between User Mode and Kernel Mode when will virtual memory be used (windows)? Get variables datatypes in kernel mode drivers windows Is there an equivalent of RegQueryInfoKey for Windows Kernel Mode Drivers? Accessing user-mode memory inside kernel-mode driver Windows 10 OpenGL BSOD, "Kernel Mode Trap" Opening named shared memory in windows kernel Large continuous virtual memory allocation on Windows Is there any memory virtual file API in Windows? Shared memory between kernel and user mode. How to share handle?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM