http://qtnes.com/til/Recent content in Tils on QtnesHugoen-usWed, 22 Apr 2026 00:00:00 +0000http://qtnes.com/til/kuser-shared-data/Wed, 22 Apr 2026 00:00:00 +0000http://qtnes.com/til/kuser-shared-data/<p>Today I learned about KUSER_SHARED_DATA: a kernel-populated shared page that user mode can read directly.</p> <h2 id="user-mode-address">User-mode address</h2> <ul> <li>User mode reads it at fixed address <code>0x7FFE0000</code> (same on x86 and x64).</li> <li>It is mapped read-only in user mode.</li> <li>Kernel has a different fixed mapping, but from user-mode reversing, <code>0x7FFE0000</code> is the important one.</li> </ul> <h2 id="what-is-stored-there-high-value-fields">What is stored there (high value fields)</h2> <p>This structure contains fast-access global OS data, historically heavy on time-related values:</p>http://qtnes.com/til/go-pclntab/Fri, 20 Feb 2026 00:00:00 +0000http://qtnes.com/til/go-pclntab/<p>Even with <code>-ldflags=&quot;-s -w&quot;</code>, Go binaries retain the <code>pclntab</code> section which maps PC values to function names. Tools like <a href="https://github.com/mandiant/GoReSym">GoReSym</a> or IDA&rsquo;s Go helper scripts can recover the full symbol table. &ldquo;Stripped&rdquo; means less than you think in Go.</p>http://qtnes.com/til/upx-magic-bytes/Fri, 06 Feb 2026 00:00:00 +0000http://qtnes.com/til/upx-magic-bytes/<p>Standard UPX uses the magic bytes <code>UPX!</code> (0x55505821). Swapping them to anything else (e.g. <code>TRTW</code> / 0x54525457) causes <code>upx -d</code> to throw <code>NotPackedException</code> while the binary still unpacks and runs fine at runtime. Four bytes of friction against automated tools.</p>