← back to til

KUSER_SHARED_DATA quick notes

Apr 22 2026 / 1 min read / by Qtnes
windows reverse malware

Today I learned about KUSER_SHARED_DATA: a kernel-populated shared page that user mode can read directly.

User-mode address

  • User mode reads it at fixed address 0x7FFE0000 (same on x86 and x64).
  • It is mapped read-only in user mode.
  • Kernel has a different fixed mapping, but from user-mode reversing, 0x7FFE0000 is the important one.

What is stored there (high value fields)

This structure contains fast-access global OS data, historically heavy on time-related values:

  • TickCount/TickCountLowDeprecated
  • TickCountMultiplier
  • InterruptTime
  • SystemTime
  • TimeZoneBias

Why malware cares

Malware often reads KUSER_SHARED_DATA directly for low-overhead timing checks (instead of noisy API calls), for example to:

  • kill time checks
  • detect sleeps/time acceleration in sandboxes
  • spot breakpoint/single-step slowdowns
  • implement anti-emulation timing heuristics

Because the address is fixed and reads are cheap, this is a common primitive in packed samples and anti-analysis routines.

Reference: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntexapi_x/kuser_shared_data/index.htm