Windows Kernel - User Mode And Kernel Mode

[nixawk]

References

1. https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode
2. https://blog.codinghorror.com/understanding-user-and-kernel-mode/
3. http://www.osronline.com/article.cfm?article=576

[nixawk]

kd> vertarget
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553fc0
Debug session time: Mon Sep  4 11:00:16.796 2017 (UTC - 7:00)
System Uptime: 0 days 0:01:02.343

kd> lmu
start    end        module name
7c900000 7c9af000   ntdll      (pdb symbols)          c:\windows\symbols\ntdll.pdb\1751003260CA42598C0FB326585000ED2\ntdll.pdb

kd> !process -1 0
Failed to get VAD root
PROCESS 805529a0  SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
    DirBase: 0031c000  ObjectTable: e1000cf8  HandleCount: 244.
    Image: Idle

kd> !process 0 0
......
PROCESS 81c72530  SessionId: 0  Cid: 04ac    Peb: 7ffdc000  ParentCid: 060c
    DirBase: 0a040360  ObjectTable: e1d8d150  HandleCount:  34.
    Image: notepad.exe

kd> .process /i 81c72530
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.

kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80527bdc cc              int     3

kd> .reload /user
Loading User Symbols
...........................
kd> lmu
start    end        module name
01000000 01014000   notepad    (deferred)             
5ad70000 5ada8000   UxTheme    (deferred)             
5cb70000 5cb96000   ShimEng    (deferred)             
629c0000 629c9000   LPK        (deferred)             
6f880000 6fa4a000   AcGenral   (deferred)             
73000000 73026000   WINSPOOL   (deferred)             
74d90000 74dfb000   USP10      (deferred)             
755c0000 755ee000   msctfime   (deferred)             
76390000 763ad000   IMM32      (deferred)             
763b0000 763f9000   comdlg32   (deferred)             
769c0000 76a74000   USERENV    (deferred)             
76b40000 76b6d000   WINMM      (deferred)             
77120000 771ab000   OLEAUT32   (deferred)             
773d0000 774d3000   COMCTL32   (deferred)             
774e0000 7761d000   ole32      (deferred)             
77be0000 77bf5000   MSACM32    (deferred)             
77c00000 77c08000   VERSION    (deferred)             
77c10000 77c68000   msvcrt     (deferred)             
77dd0000 77e6b000   ADVAPI32   (deferred)             
77e70000 77f02000   RPCRT4     (deferred)             
77f10000 77f59000   GDI32      (deferred)             
77f60000 77fd6000   SHLWAPI    (deferred)             
77fe0000 77ff1000   Secur32    (deferred)             
7c800000 7c8f6000   kernel32   (deferred)             
7c900000 7c9af000   ntdll      (pdb symbols)          c:\windows\symbols\ntdll.pdb\1751003260CA42598C0FB326585000ED2\ntdll.pdb
7c9c0000 7d1d7000   SHELL32    (deferred)             
7e410000 7e4a1000   USER32     (deferred)  

References

1. http://www.osronline.com/article.cfm?article=576