3 Apr
2002
3 Apr
'02
10:20 p.m.
After some investigation, it seems that reading the memory location 0x7ffe0000 should return KeTickCount.LowPart to the user process. Has anyone ever heard about that ? I was wondering if it was a native windows NT behaviour, or if it was done by a special kernel-space exception handler installed by the program.
It's a native NT thing; a page of memory at that address is shared between user and kernel space. The definition in the w2k ddk.
I downloaded the w2k ddk, and SharedUserData seems to be located at 0xffdf0000 (line 5099 of ntddk.h). Did Microsoft move the page around between NT4 and NT5, or is there something I don't understand ?
Laurent Pinchart