Using !kuser to find _KUSER_SHARED_DATA

The _KUSER_SHARED_DATA structure contains some interesting information related to the currently logged on user, we can obtain the address of this data structure by using the !kuser extension in WinDbg. Most of the fields aren't officially documented from what I can find, but you should be easily be able to work out what they mean from their names.



Using the address with the _KUSER_SHARED_DATA will provide the following (omitted structure):


There is some debugging bit fields within this structure, so you can check what debugging features have been enabled for that user. It also contains some basic system information.

Additional Reading:

The System Call Dispatcher on x86

struct KUSER_SHARED_DATA




Comments

Post a Comment

Popular posts from this blog

Debugging Stop 0x1E - Finding the Exception Record Address in the Stack

Image
This is going to be a very short blog post, just to demonstrate how to find the Exception Record address in the stack, and how many times it seems to appear within the call stack. Interestingly, but not unsurprisingly, the exception code wasn't passed to any of the exception handlers in the call stack. The blue highlighting is the address of the exception record, and the green highlighting is the address of the trap frame which contains the last saved context. The !exchain extension shows all the exception handlers in the call stack. The _CONTEXT data structure can show us the saved registers from the trap frame. Please note I've omitted this data structure to the main registers.
Read more

Windows Access Tokens - !token and _TOKEN

Image
Windows needs to ensure that untrusted code and untrusted users aren't accessing important areas of the operating system, and creating problems which would ultimately lead to a vast number of BSODs. Windows manages this through Access Tokens which are used to identify the security context of a process/thread and a user. Access Tokens take two main forms: a Primary access token and a Impersonation access token. The Access Token additionally has two important features which are integral to security validation: SIDs (Security Identifiers) and a Privilege Array which contains the privileges allowed for that object. The token type can be found within a enumeration called TOKEN_TYPE.   The data structure can be found under the TokenType field within the _TOKEN structure. The Primary type determines the security context of the process for the currently logged on user, and the Impersonation type allows a thread to temporarily use a different security context. The Token type can also ...
Read more

Virtual to Physical Address Translation (Part 3)

Image
All the pages resident in physical memory are manged by the PFN Database or Page Frame Number Database. The PFN is used to describe the page state of each page, and the number of references to this page. Page States The page states can be found in a enumeration called _MMLISTS: Zeroed - The page already is free and already contains 0's, or has been freed and being zeroed. Free - The page is free, but may still contain data since the Dirty bit could have not been set, therefore these pages are zeroed before being marked as a user page for user-mode processes. Standby - The page has been recently been removed from the working set of a process, and as a result is currently in Transition. The page hasn't been written to or modified since removal and transfer to the hard disk, but the PTE (Invalid) may still refer to the physical page. Modified - The page has been recently removed from the working set of a process, but has been written to and modified before it was written to th...
Read more