This kernel/driver-level Windows NT code:
void huh()
{
LARGE_INTEGER a;
KeQueryTickCount(&a);
DbgPrint ("%d", a.QuadPart);
};
... is now translated in Windows 2003 DDK x64 environment into:
mov rdx, 0FFFFF78000000320h
lea rcx, Format ; "%d"
mov rdx, [rdx]
call DbgPrint_0
Wow, some variable's address (KeTickCount) is now hardcoded just into driver's code during compilation.
Is not it just return to the PEEKs and POKEs?
http://en.wikipedia.org/wiki/PEEK_and_POKE
Is Microsoft promise to fix this variable to this address forever?
→ [list of blog posts] Please drop me email about bug(s) and/or suggestion(s): my emails.