Read of memory location 0x7ffe0000 in windows NT

1 Apr 2002


      Hi everybody,
I've stumbled accross some code which reads a dword at memory location 
0x7ffe000, which causes the program to crash and the wine debugger to start.
After some investigation, it seems that reading the memory location 
0x7ffe0000 should return KeTickCount.LowPart to the user process. Has anyone 
ever heard about that ? I was wondering if it was a native windows NT 
behaviour, or if it was done by a special kernel-space exception handler 
installed by the program.
The assembly code which does the trick is
pusha
mov	$0x7ffe0000,%edx
mov	(%edx),%eax
mov	%eax,0xfffffffc(%ebp)
popa
mov	0xfffffffc(%ebp),%eax
Any idea anyone ?
Thanks for your help.
Laurent Pinchart

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Read of memory location 0x7ffe0000 in windows NT