0

I'm trying to get some information about how the x86 subsystem works within the 64-bit os and how it is addressed.

As example: If a (64-bit)driver inside the windows kernel tries to read a memory part of a 32-bit subsystem process, how do you get/calculate the 64-bit address where the 32-bit data is stored? In 32-bit usermode you simply take the base of the process module + offset and you're able to read the data with a ReadProcessMemory call.

But how do I find/access the 32-bit subsystem data from inside the 64-bit kernel?

abject_error
  • 2,858
  • 1
  • 19
  • 23
Tom Turbo
  • 1
  • 2
    Um, you shouldn't be reaching around like that. The app should pass a buffer to you (say via an IOCTL), and the I/O manager will do the work of converting that 32-bit buffer to a 64-bit address for you. – Raymond Chen Jul 31 '14 at 00:21
  • There's a reason i am trying to access the memory from the pure kernel mode... I'd like to do it without any ring3 communication. Any idea how i'm getting the address? Is it even possible? – Tom Turbo Jul 31 '14 at 00:30

0 Answers0