Wednesday, 2 July 2014

Using !kuser to find _KUSER_SHARED_DATA

The _KUSER_SHARED_DATA structure contains some interesting information related to the currently logged on user, we can obtain the address of this data structure by using the !kuser extension in WinDbg. Most of the fields aren't officially documented from what I can find, but you should be easily be able to work out what they mean from their names.

Using the address with the _KUSER_SHARED_DATA will provide the following (omitted structure):

There is some debugging bit fields within this structure, so you can check what debugging features have been enabled for that user. It also contains some basic system information.

Additional Reading:

The System Call Dispatcher on x86


1 comment: