In our last post (here), we took a look at an Access Violation of a user mode application attempting to access memory in kernel mode address space.
It’s interesting to note that we can’t just go reading and writing memory in the kernel- if we try to blindly access another application’s memory, we’ll get the same AV error (on an NT OS, anyhow). Let’s take a look:
int * ip = (int*)16777216; //Address 0x01000000, in another process’ address space
foo = *ip; //Crash!
This will crash with the following error:
Unhandled exception at 0x004173c8 in cpractice.exe: 0xC0000005: Access violation reading location 0x01000000.
A few notes:
- On most machines, you’ll see a Watson dialog instead of this unfriendly crash dialog. I’ve used the `unfriendly’ crash dialog here for demonstration purposes.
- AT posted some interesting comments in the other post here. The win32 API has tools for sharing memory between processes, and the above code was legal on DOS, which was without a protected memory space.