On Space and Mode

Sometimes I see engineers use memory “space” and protection “mode” terms interchangeably although, in my opinion, there is a big difference between them. They are independent from each other (orthogonal). For example, a thread may access a user space address but be running in a kernel protected mode. Even it is possible to call a user space function from a kernel space thread (that function shouldn’t try to call Windows API). The following combinations are possible:

user space / user mode
kernel space / kernel mode
user space / kernel mode

Most of the time space and mode coincide (blue - user, red - kernel):

ChildEBP RetAddr 
b6046c50 80833e95 nt!KiSwapContext+0×26
b6046c7c 8082b72b nt!KiSwapThread+0×2e5
b6046cc4 808ef652 nt!KeRemoveQueue+0×417
b6046d48 8088b19c nt!NtRemoveIoCompletion+0xdc
b6046d48 7c94860c nt!KiFastCallEntry+0xfc
00bfff70 7c9477f9 ntdll!KiFastSystemCallRet
00bfff74 7c959f68 ntdll!NtRemoveIoCompletion+0xc
00bfffb8 7c82482f ntdll!RtlpWorkerThread+0×3d
00bfffec 00000000 kernel32!BaseThreadStart+0×34

I personally prefer to talk about ”spaces” when I analyze complete memory dumps and almost never talk about “modes”. 

- Dmitry Vostokov @ DumpAnalysis.org -

2 Responses to “On Space and Mode”

  1. Software Generalist » Blog Archive » Reading Notebook: 20-July-09 Says:

    […] system architecture (p. 36) - I personally prefer space than mode partitioning or indicate both: http://www.dumpanalysis.org/blog/index.php/2009/07/17/on-space-and-mode/ and show user space at the bottom to highlight lower virtual addresses. Here is one example, UML […]

  2. Crash Dump Analysis » Blog Archive » User/Kernel Diagramming Styles Says:

    […] value the most or use the most. However, the reason I put Kernel on top is because I value Space over Mode in depicting memory and dependencies. In stack traces from complete memory dumps you have kernel […]

Leave a Reply

You must be logged in to post a comment.