Question
I know that in 32-bit architecture the kernel mode virtual memory is mapped between 0x80000000 and 0xFFFFFFFF.
It contains some structures as EPROCESS , ETHREAD ... etc and also the page directories and tables for the current process.
While trying to fetch the virtual address of a certain function is ntoskrnl let's say "nt!NtReadFile" I find that's it's mapped in the kernel virtual address 0x89421130 for example.
I tried to patch some nops after the RET with a random instruction and when switching to another process context I found that the instruction I put is still there.
Does that mean that virtual memory where Ntoskrnl is loaded stays unchanged in every process virtual address space ?
Thanks.
Solution
Does that mean that virtual memory where Ntoskrnl is loaded stays unchanged in every process virtual address space?
Yes. There is one copy of the kernel in memory on a running Windows system, and the exact same kernel address space (i.e. 0x80000000-0xFFFFFFFF on 32-bit) is mapped into every process.
https://stackoverflow.com/questions/23396475
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian