A forum for reverse engineering, OS internals and malware analysis 

Convert memory address

Ask your beginner questions here.

Convert memory address

 #22505  by Carlbyte
 Fri Mar 21, 2014 12:35 pm
Hello,

I'm extracting the context of a thread in kernel mode. The memory addresses this context are kernel mode, but I need to convert these addresses to be used in user mode. How to do this conversion?

Thanks

Re: Convert memory address

 #22506  by EP_X0FF
 Fri Mar 21, 2014 12:47 pm
Hello,

can you tell more details, because from what you wrote you will get memory address pointing to anywhere including unallocated memory.

Re: Convert memory address

 #22507  by Carlbyte
 Fri Mar 21, 2014 1:23 pm
I searched the internet for a way to extract the context of a thread through a driver. This working fine, no problems.

see http://blog.airesoft.co.uk/2009/02/grab ... lorer-way/

This extracted context contains memory addresses 0x80 kernel level ... and I'd like to send this context for the userland program to use it, because there are some limitations to extract the context of certain processes.

KERNEL MODE CONTEXT -> EIP 805459FB ESP A7AA696C EBP A7AA69BC

USER MODE CONTEXT -> EIP 7C90E514 ESP FBFD48 EBP FBFD98

Re: Convert memory address

 #22509  by EP_X0FF
 Fri Mar 21, 2014 3:13 pm
If I understand you correctly. You surprised to see kernel mode addresses in thread stack?
You understand that any thread executes in UM/KM?
Code: Select all
ntoskrnl.exe!KiSwapContext+0x7a
ntoskrnl.exe!KiCommitThreadWait+0x1d2
ntoskrnl.exe!KeWaitForMultipleObjects+0x272
ntoskrnl.exe!ObpWaitForMultipleObjects+0x294
ntoskrnl.exe!NtWaitForMultipleObjects+0xe5
ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
ntdll.dll!ZwWaitForMultipleObjects+0xa
ntdll.dll!TppWaiterpThread+0x14d
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x1d
Code: Select all
ntoskrnl.exe!KiSwapContext+0x7a
ntoskrnl.exe!KiCommitThreadWait+0x1d2
ntoskrnl.exe!KeWaitForMultipleObjects+0x272
ntoskrnl.exe!ObpWaitForMultipleObjects+0x294
ntoskrnl.exe!NtWaitForMultipleObjects+0xe5
ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
ntdll.dll!ZwWaitForMultipleObjects+0xa
KERNELBASE.dll!WaitForMultipleObjectsEx+0xe8
kernel32.dll!WaitForMultipleObjects+0xb0
dwmcore.dll!CMilChannel::WaitForNextMessage+0xc2
dwmcore.dll!MilComposition_WaitForNextMessage+0x6d
dwmredir.dll!CMilWindowManager::WaitForMultipleObjects+0xea
Dwm.exe!CSessionPort::WaitForMultipleObjects+0x21
Dwm.exe!CPortBase::PortThreadInternal+0x49
Dwm.exe!CPortBase::PortThread+0x9
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x1d
 Return to “Newbie Questions”