Skip to content

KUSER_SHARED_DATA

Abusing the KUSER_SHARED_DATA structure at fixed virtual address for info leak or shellcode staging.

Description

KUSER_SHARED_DATA is mapped at a fixed virtual address (0xFFFFF78000000000 in kernel, 0x7FFE0000 in user) on all Windows versions. This makes it useful as:

  • Info leak source: Contains system time, tick count, and other values
  • Known address: Fixed mapping provides a reliable address for shellcode or data staging (pre-SMEP)

Mitigations

Modern mitigations (SMEP, HVCI) prevent executing code from this region, but it remains useful for data-only attacks.