Home/ Questions/Q 3321954
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T23:07:30+00:00

I tried to get idt address in my driver, I made function in asm

  • 0

I tried to get idt address in my driver, I made function in asm which returns what idtr contains:

.data
  myData dq 0

.code
Function PROC
  sidt myData
  mov rax, myData
  ret
Function ENDP
END

But the address which I get is weird, for example in windbg:

r idtr
idtr=fffff80000b95080

However my driver shows:

idtr = f80000b950800fff

I read that on x64 IDTR contains 64-bit base address of IDT table. I would appreciate if anyone explain why my output is not the same as from WinDbg.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is what the Intel docs say about the SIDT instruction:

    In 64-bit mode, the operand size is fixed at 8+2 bytes. The instruction stores 8-byte base and 2-byte limit values.

    and:

    DEST[0:15] <- IDTR(Limit);
DEST[16:79] <- IDTR(Base);

    This means your myData variable needs to be 10 bytes long, and the instructions stores the limit in the first 2 bytes and base address in the next 8 bytes. This also explains why your value matches with WinDbg’s value after the first ffff bytes.

    • 0