I'm trying to figure out ARM64 architecture using ARM build of Windows 11. I can see that the KeGetCurrentIrql function is converted to:
ldrb w0, [xpr, #0x38]
ret
If I understand this correctly, xpr register is x18, and thus the ldrb instruction reads a byte from the memory address taken from the x18 register, plus 0x38 offset.
So, when I triggered a breakpont on the ldrb instruction, I'm trying the following in WinDbg:
kd> r x18
x18=0000000000000000
But how can it be, x18 is 0? TEB cannot be 0. What am I missing there?
If I do:
kd> !teb
TEB at 0000003d7af95000
...