Using !kuser to find _KUSER_SHARED_DATA

By at   No comments
The _KUSER_SHARED_DATA structure contains some interesting information related to the currently logged on user, we can obtain the address of this data structure by using the !kuser extension in WinDbg. Most of the fields aren't officially documented from what I can find, but you should be easily be able to work out what they mean from their names.



Using the address with the _KUSER_SHARED_DATA will provide the following (omitted structure):


There is some debugging bit fields within this structure, so you can check what debugging features have been enabled for that user. It also contains some basic system information.

Additional Reading:

The System Call Dispatcher on x86

struct KUSER_SHARED_DATA




No comments:

Post a Comment

Categories

Text Widget

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Pages

Blog Archive