Reverse Engineering Asked on July 2, 2021
I have read it is possible to check ring level with bit 3 of CS register.
Is there another register which really contains ring value (2 bits)
are you looking for this ?
0:002> dx (( ntdll!_KTHREAD *) @$thread)->PreviousMode
(( ntdll!_KTHREAD *) @$thread)->PreviousMode : 0 [Type: char]
0:002> ?? (( ntdll!_KTHREAD *) @$thread)->PreviousMode
char 0n0 ''
or in kmode
0: kd> dq gs:[188] l1
002b:00000000`00000188 ffff8889`d75ce080
0: kd> ? @$thread
Evaluate expression: -131349371625344 = ffff8889`d75ce080
0: kd> dx @$thread->Tcb.PreviousMode
@$thread->Tcb.PreviousMode : 1 [Type: char]
0: kd> uf nt!ExGetPreviousMode
nt!ExGetPreviousMode:
fffff804`41c45f00 65488b042588010000 mov rax,qword ptr gs:[188h]
fffff804`41c45f09 0fb68032020000 movzx eax,byte ptr [rax+232h]
fffff804`41c45f10 c3 ret
0: kd> ?? #FIELD_OFFSET(nt!_KTHREAD , PreviousMode)
long 0n562
0: kd> ? 0n562
Evaluate expression: 562 = 00000000`00000232
Answered by blabb on July 2, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP