Greetings,
Unable to correctly read EPROCESS->StackConnt struct value using the following command, using driver.
*(PDWORD)((PCHAR)pEprocess+0x74);
The value present at this offset is variable (updated by kernel) in the execution.
Reading the value uing windbg dd command give updated value. Static vlues of struct are reading correctly (value dont change during execcution e.g PID)
But uable to read the value at address for which value changes over time, using my driver routine.
The value read using my drver is the initial value stored at the address.
reading the value in loop shows static value whereas in windbg i can see variation in value.
why i am not reading the updated value of EPROCESS->StackConnt ?? is there anything i am missing?
Note: Tried reading the other value of EPROCESS which changes during execution and unlucky to read them too
.
So problem seems to reading the value which changes over time.
Any help would be appreciated.
Unable to correctly read EPROCESS->StackConnt struct value using the following command, using driver.
*(PDWORD)((PCHAR)pEprocess+0x74);
The value present at this offset is variable (updated by kernel) in the execution.
Reading the value uing windbg dd command give updated value. Static vlues of struct are reading correctly (value dont change during execcution e.g PID)
But uable to read the value at address for which value changes over time, using my driver routine.
The value read using my drver is the initial value stored at the address.
reading the value in loop shows static value whereas in windbg i can see variation in value.
why i am not reading the updated value of EPROCESS->StackConnt ?? is there anything i am missing?
Note: Tried reading the other value of EPROCESS which changes during execution and unlucky to read them too
.So problem seems to reading the value which changes over time.
Any help would be appreciated.