A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #2212  by Poison
 Mon Aug 23, 2010 4:58 pm
The LDT Base is always equal to 0xdead0000 on real OS (with all win NT and all processors) ?
Thx ;)
 #2998  by j00ru
 Sun Oct 10, 2010 10:35 am
Excuse me, but where did you take the magic 0xdead0000 address from?

LDT (Local Descriptor Table) is an optional structure, created on process-basis - as described in the paper. The kernel memory addressing (unlike the user-mode part) is shared amongst all process contexts, therefore one specific address like 0xdead0000 cannot be assigned to multiple programs.

Besides, the table is allocated upon application's request, i.e by calling the NtSetLdtEntries native routine. If one takes a look at its implementation (either by disassembling the kernel executable, or checking the WRK contents), it turns out that the above call boils down to the following piece of code:
Code: Select all
    Ldt = ExAllocatePoolWithTag (NonPagedPool, AllocatedSize, 'dLsP');

    if (Ldt == NULL) {
        Status = STATUS_INSUFFICIENT_RESOURCES;
        goto SetLdtEntriesCleanup;
    }
Since the allocation is being performed in a relatively advanced stage of the system session, the resulting pool address is very unlikely to be foreseen by the user. I hope this answers your question :-)