So now it can be trivially found with signature 0xFFFFF78000000308 (0xFFDF0308 for 32bit) in .data section
Lets see what is interesting in this list
Items in PsKernelRangeList can be described something like
struct protected_area
{
PBYTE addr;
PBYTE len;
};
Also it seems that new entries always adding in end of this list. On build 18312 this list contains
- PspPicoProviderRoutines
- 3 zero entry
- MmUserProbeAddress (exported)
- MmSystemRangeStart (exported)
- MmHighestUserAddress (exported)
- MmBadPointer (exported)
- HvcallCodeVa
- PsWin32NullCallBack
- PspSystemMitigationOptions (size 0x10)
- KdpBootedNodebug
- KUSER_SHARED_DATA.SystemCall
- KUSER_SHARED_DATA.ProcessorFeatures
- KiDynamicTraceEnabled
- KiDynamicTraceCallouts (size 0x28 on 32bit, 0x50 on 64bit)