+- +-

+-User

Welcome, Guest.
Please login or register.
 
 
 
Forgot your password?

+-Stats

Members
Total Members: 131
Latest: meriehileard
New This Month: 1
New This Week: 0
New Today: 0
Stats
Total Posts: 320
Total Topics: 161
Most Online Today: 6
Most Online Ever: 159
(June 29, 2021, 10:20:55 pm)
Users Online
Members: 0
Guests: 6
Total: 6

Author Topic: Tip of the day 1  (Read 362 times)

zwclose7

  • Administrator
  • Full Member
  • *****
  • Posts: 155
  • I love anime and science!
    • View Profile
    • My blog
Tip of the day 1
« on: February 21, 2016, 03:09:45 pm »
KUSER_SHARED_DATA is a data structure that contains a lot of Windows system information. It is always located in user mode at 0x7ffe0000, even on 64-bit Windows. At 0x7ffe0030, the full path of the Windows directory is stored there. The Windows version number is stored at 0x7ffe026c and 0x7ffe0270. 0x7ffe026c is the major version number, and 0x7ffe0270 is the minor version number.

The format of KUSER_SHARED_DATA is shown below.

Code: [Select]
typedef struct _KUSER_SHARED_DATA
{
     ULONG TickCountLowDeprecated;
     ULONG TickCountMultiplier;
     KSYSTEM_TIME InterruptTime;
     KSYSTEM_TIME SystemTime;
     KSYSTEM_TIME TimeZoneBias;
     WORD ImageNumberLow;
     WORD ImageNumberHigh;
     WCHAR NtSystemRoot[260];
     ULONG MaxStackTraceDepth;
     ULONG CryptoExponent;
     ULONG TimeZoneId;
     ULONG LargePageMinimum;
     ULONG Reserved2[7];
     NT_PRODUCT_TYPE NtProductType;
     UCHAR ProductTypeIsValid;
     ULONG NtMajorVersion;
     ULONG NtMinorVersion;
     UCHAR ProcessorFeatures[64];
     ULONG Reserved1;
     ULONG Reserved3;
     ULONG TimeSlip;
     ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
     LARGE_INTEGER SystemExpirationDate;
     ULONG SuiteMask;
     UCHAR KdDebuggerEnabled;
     UCHAR NXSupportPolicy;
     ULONG ActiveConsoleId;
     ULONG DismountCount;
     ULONG ComPlusPackage;
     ULONG LastSystemRITEventTickCount;
     ULONG NumberOfPhysicalPages;
     UCHAR SafeBootMode;
     ULONG SharedDataFlags;
     ULONG DbgErrorPortPresent: 1;
     ULONG DbgElevationEnabled: 1;
     ULONG DbgVirtEnabled: 1;
     ULONG DbgInstallerDetectEnabled: 1;
     ULONG SystemDllRelocated: 1;
     ULONG SpareBits: 27;
     UINT64 TestRetInstruction;
     ULONG SystemCall;
     ULONG SystemCallReturn;
     UINT64 SystemCallPad[3];
     union
     {
          KSYSTEM_TIME TickCount;
          UINT64 TickCountQuad;
     };
     ULONG Cookie;
     INT64 ConsoleSessionForegroundProcessId;
     ULONG Wow64SharedInformation[16];
     WORD UserModeGlobalLogger[8];
     ULONG HeapTracingPid[2];
     ULONG CritSecTracingPid[2];
     ULONG ImageFileExecutionOptions;
     union
     {
          UINT64 AffinityPad;
          ULONG ActiveProcessorAffinity;
     };
     UINT64 InterruptTimeBias;
} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;

Reference:
http://www.nirsoft.net/kernel_struct/vista/KUSER_SHARED_DATA.html
« Last Edit: February 21, 2016, 03:12:14 pm by zwclose7 »

Share on Facebook Share on Twitter


 

+-Recent Topics

Power Blast Keto Reviews by meriehileard
September 12, 2021, 07:38:32 pm

Independent Call Girls in Chandigarh by dilpreetkaur
June 21, 2021, 01:02:52 pm

Hi zwclose7. How to create process by using NT apis? by zwclose7
June 01, 2021, 03:09:52 pm

Poison of the Day by zwclose7
March 16, 2020, 06:45:08 pm

IRC by AzeS
February 17, 2020, 08:18:01 am

Native API tutorial by hMihaiDavid
January 08, 2019, 02:11:02 am

The properties of GP nerve agent by xchg
October 19, 2018, 07:40:57 pm

A new route of synthesis for G-series agents by Basquyatti
October 15, 2018, 06:12:57 am

Synthesis of Methylisobutylcarbinylsarin (GH) by APC process by Basquyatti
October 14, 2018, 07:55:33 am

Synthesis conventional of Sarin by Basquyatti
October 02, 2018, 07:57:32 am