.This kernel/driver-level Windows NT code:
void huh()
{
LARGE_INTEGER a;
KeQueryTickCount(&a);
DbgPrint ("%d", a.QuadPart);
};
... is now translated in Windows 2003 DDK x64 environment into:
mov rdx, 0FFFFF78000000320h
lea rcx, Format ; "%d"
mov rdx, [rdx]
call DbgPrint_0
Wow, some variable's address (KeTickCount) is now hardcoded just into driver's code during compilation.
But where in DDK this constant is defined? I can't find.
Is not it just return to the PEEKs and POKEs?
http://en.wikipedia.org/wiki/PEEK_and_POKE
Is Microsoft promise to fix this variable to this address forever?
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}