is module baseaddr prefix normal?

Sep 18, 2013 at 2:36 AM
Edited Sep 18, 2013 at 2:48 AM
from pykd import *
attachKernel()
nt = module( "nt" )
print "%x" % nt.begin()

it prints "ffffffff804d8000", but my system is 32bit, and the baseaddr is 0x804d8000
is the "ffffffff" prefix normal in 32bit system?
Coordinator
Sep 19, 2013 at 9:12 AM
pykd works only with 64 bit address ( there are some reasons ), so we use "address normalization" for 4 bytes address. You can use these addresses with windbg, it is ok.

All pykd API routines return address with normalization, so you can make a such mistake:
nt = module("nt")
if reg("eip") > nt.begin() and reg("eip") < nt.end():
   print "IP i within NT kernel"   # eip is 4 byte and allways less nt.begin()
There is a special routine addr64 for representation any number as "normalized" address:
nt = module("nt")
ip = addr64( reg("eip") )
if ip > nt.begin() and ip < nt.end():
   print "IP i within NT kernel"   # ip will be compared with kernel base right
Sep 22, 2013 at 3:49 AM
I see, thanks~