Excuse me, but where did you take the magic 0xdead0000 address from?
LDT (
Local Descriptor Table) is an optional structure, created on process-basis - as described in the paper. The kernel memory addressing (unlike the user-mode part) is shared amongst all process contexts, therefore one specific address like 0xdead0000 cannot be assigned to multiple programs.
Besides, the table is allocated upon application's request, i.e by calling the NtSetLdtEntries native routine. If one takes a look at its implementation (either by disassembling the kernel executable, or checking the WRK contents), it turns out that the above call boils down to the following piece of code:
Code: Select all Ldt = ExAllocatePoolWithTag (NonPagedPool, AllocatedSize, 'dLsP');
if (Ldt == NULL) {
Status = STATUS_INSUFFICIENT_RESOURCES;
goto SetLdtEntriesCleanup;
}
Since the allocation is being performed in a relatively advanced stage of the system session, the resulting pool address is very unlikely to be foreseen by the user. I hope this answers your question
