Quote:
|
Originally Posted by MarkusO
Code:
mov eax, fs:[124h]
mov eax, [eax+44h]
mov eax, [eax+18] ; <-- crash location
Even if I'm not aware what value "fs" has a this time, I don't expect it to be the reason for the crash. |
fs points to kpcr
kpcr+124h = current thread
curretn thread + 44h = KPROCESS
KPROCESS+18 = DirectoryTableBase (value of cr3 for current process)
Maybe in win2k3 kthread is changed so kthread+44 returns something else.
If you can, install livekd from www.sysinternals.com and tell us what is located at offset 44 of kthread.
I would really love to know
