Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Will SMAP block drivers from reading a user-mode address?

brad_Hbrad_H Member Posts: 189
edited March 2 in NTDEV

Supervisor Mode Access Prevention (SMAP) is a newer mitigation that has been introduced to complement SMEP and further restrict access from the kernel to user-mode pages – it disallows both reads and writes. Just as SMEP, its status is stored as a bit in the CR4 register

So, does this mean that we should never access a user-mode address directly? But I have already written many drivers that accessed user mode address (for example in the process creation callback to access the PEB of the process, and obviously properly checking if the addresses are correct and putting it in a try catch), and have never got a BSOD from a customer regarding this access?

My questions are:

  1. How common is for new hardware to have this SMAP feature? Anyone has experienced any issues with it?

  2. If this feature is on, what will happen when I for example try to read a user-mode address from my driver? Will there be a exception that can be catched, or...?

  3. If this feature means that we can no longer read a user-mode address, then how can I for example read a user-mode address of a specific process, for example PEB of a target process?

  4. Considering that the ntoksrnl itself reads/writes to user-mode addresses as well (duh), then how can It do that with SMAP?! I am even confused about SMEP as well, because I am pretty sure win32k.sys calls user-mode functions directly too, then how the hell can win32k call a user-mode function directly?!


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 26 Feb - 1 Mar 2024 Live, Online