How to programatically acquire KPCR - Page 2

#23751 by Vrtule
Tue Sep 02, 2014 8:39 pm

Hello,

PKPCR pKpCR = (PKPCR) _readgsdword(FIELD_OFFSET(KPCR, Self));

You should use something like readgsqword if such a macro exists. Otherwise, you get only the lower 32 bits of the pointer which makes it corrupted.

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact

Re: How to programatically acquire KPCR

#23755 by EP_X0FF
Wed Sep 03, 2014 3:10 am

http://gate.upm.ro/os/LABs/Windows_OS_I ... nc/amd64.h

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: How to programatically acquire KPCR

#23765 by g4mbit
Wed Sep 03, 2014 1:13 pm

I'm not sure I get why you gave that link. I do have the complete structure already but thanks anyways ;)

I've read (can't remember exactly where) that in x64, the kdVersionBlock might be zero'd out and that a different technique needed to be used to access it. Do you guys know anything about that? Or how I can get a hold of that structure?

Username

g4mbit

Posts

Joined

Tue Sep 02, 2014 2:20 pm

Re: How to programatically acquire KPCR

#23766 by EP_X0FF
Wed Sep 03, 2014 1:27 pm

g4mbit wrote:I'm not sure I get why you gave that link. I do have the complete structure already but thanks anyways ;)

Because it have ready to use KeGetPcr and KeGetCurrentPrcb for x86-x64.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: How to programatically acquire KPCR

#23790 by g4mbit
Fri Sep 05, 2014 12:22 pm

Thank you!

Username

g4mbit

Posts

Joined

Tue Sep 02, 2014 2:20 pm

Page 2 of 2
15 posts

Return to “Newbie Questions”

Display:

Sort by:

Jump to: