Sometimes I see engineers use memory “space” and protection “mode” terms interchangeably although, in my opinion, there is a big difference between them. They are independent from each other (orthogonal). For example, a thread may access a user space address but be running in a kernel protected mode. Even it is possible to call a user space function from a kernel space thread (that function shouldn’t try to call Windows API). The following combinations are possible:
user space / user mode
kernel space / kernel mode
user space / kernel mode
Most of the time space and mode coincide (blue - user, red - kernel):
ChildEBP RetAddr
b6046c50 80833e95 nt!KiSwapContext+0×26
b6046c7c 8082b72b nt!KiSwapThread+0×2e5
b6046cc4 808ef652 nt!KeRemoveQueue+0×417
b6046d48 8088b19c nt!NtRemoveIoCompletion+0xdc
b6046d48 7c94860c nt!KiFastCallEntry+0xfc
00bfff70 7c9477f9 ntdll!KiFastSystemCallRet
00bfff74 7c959f68 ntdll!NtRemoveIoCompletion+0xc
00bfffb8 7c82482f ntdll!RtlpWorkerThread+0×3d
00bfffec 00000000 kernel32!BaseThreadStart+0×34
I personally prefer to talk about ”spaces” when I analyze complete memory dumps and almost never talk about “modes”.
- Dmitry Vostokov @ DumpAnalysis.org -