@zer0mem

Sometimes in kernel developement is needed to process some user mode data. But some of data – structs are internal and not so well documented, and due to this are available functions which work with these structures, but these are often exported just for user mode only. What are options in that case ?

• user mode component – service / application
• find kernel mode alternative function – often not exported
• reverse structure – parse it by yourself
• nt!KeUserModeCallback