Wednesday, March 5, 2008

Where is current IRQL?

kd> u KeGetCurrentIrql
hal!KeGetCurrentIrql:

806ed2a4 0fb70524f0dfff  movzx   eax,word ptr ds:[0FFDFF024h]
806ed2ab c3                  ret

This routine tells us that current IRQL stores at kernel address 0x0FFDFF024h. And it’s a WORD (2 bytes), in fact it’s only one byte long, the upper 8 bits are zero.

Software IRQL:
PASSIVE_LEVEL 0        // Passive release level
LOW_LEVEL 0             // Lowest interrupt level
APC_LEVEL 1              // APC interrupt level
DISPATCH_LEVEL 2     // Dispatcher level

Posted by Hannibal at 2:56 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)