Windows Secure Kernel r/e hints and tips

gistfile1.txt

To find SKPROCESS Policy offset:

__int64 __fastcall SkpspFindPolicy(__int64 a1, __int64 a2, int a3, __int64 a4, __int64 a5)
{
  v5 = a4;
  v6 = a3;
  v7 = a2;
  v8 = a1;
  v12 = 0i64;
  v9 = a1 + 0x1B8; // <--
  v10 = RtlLookupImagePolicyValue(a1 + 0x1B8, a2, &v12);

  ...
}

###################################################

To find SKPROCESS page table entry offset:

signed __int64 __fastcall SkeSelectProcessAddressSpace(__int64 a1)
{
  v1 = __getcallerseflags();
  _disable();
  v2 = v1;
  v3 = *(_QWORD *)(a1 + 0x40); // <--

  // ...
}