1) x64 debugger
2) x64 pykd
3) Attached as a kernel debugger
4) Target being debugged is x86 platform
Using the read memory functions (ptrMWord, ptrFloat, etc), these apis incorrectly interpret 32bit addresses.
Eample:
address =0x826d8500
val = ptrMWord(address)
Causes a MemoryException to be thrown: "Memory excception at 0xFFFFFFFF826d8000 target virtual address." This is a confusing error because it makes it seem like the pointer was cast differently
Comments: ** Comment from web user: kernelnet **
What is wrong?
additional FF?
0x __FFFFFFFF__ 826d8000 vs 0x826d8500
or lost 5
0x_FFFFFFFF826d8000 vs 0x826d8 __5__ 00
I can not reproduce the second case. Maybe it is mistyping?
As for address extended with FF:
Pykd ( as the windbg ) internally works only with 64-bit "canonical" pointers. 32-bits pointers are extending to 64-bit form as a signed 4 byte integer:
0x80000001 -> 0xFFFFFFFF8000001
0x7FFFFFFF -> 0x000000007FFFFFFF
If you are going to use any address got from pykd for comparing with register value for example, you should cast this value to the 64 bit address format with special routine "addr64"
```
nt = module('nt')
if addr64(reg('eip')) > nt and addr64(reg('eip')) < nt,end():
print 'IP inside kernel'
```
I may seem unexpected behaviour, but there are a lot of reasons for this.