Deleted

Category: windows hardware wdk and driver development

Question

MigrationUser 1 on Tue, 28 Aug 2018 21:00:22


Deleted

Replies

Doron Holan [MSFT] on Tue, 28 Aug 2018 22:13:14


What bigger problem are you trying to solve? The kernel isn’t really a traditional process

MigrationUser 1 on Tue, 28 Aug 2018 22:54:32


Deleted

Brian Catlin on Tue, 28 Aug 2018 23:00:38


You cannot do that from usermode (application); you'll have to write a driver to access system (kernel) address space

 -Brian

MigrationUser 1 on Tue, 28 Aug 2018 23:09:49


Deleted

Brian Catlin on Tue, 28 Aug 2018 23:44:20


You seem to be confused. As was mentioned earlier, NTOSKRNL is not a process. The System process (4) isn't a real process, either (it is compiled into the system), and doesn't have user address space (anymore). As such, you cannot access its address space from usermode. You can poke around a little using the SysInternals tool Process Explorer (ProcExp). Yes, it displays some of the addresses that you're probably interested in, but it uses a driver to get those addresses.

 -Brian

MigrationUser 1 on Wed, 29 Aug 2018 00:06:24


Deleted

Brian Catlin on Wed, 29 Aug 2018 00:38:06


We try not to make assumptions because we deal with a lot of beginner's, here.

{Nt|Zw}QuerySystemInformation has the ability to return the address of every module loaded in the system; however, the SystemInformationClass that you need is not documented. I am not allowed to disseminate undocumented features; however, with a little work searching the internet (Google, not Bing) you can find what you need.

 -Brian

MigrationUser 1 on Wed, 29 Aug 2018 00:49:16


Deleted

Doron Holan [MSFT] on Wed, 29 Aug 2018 05:10:50


AuxKlibQueryModuleInformation will return the ImageBase of nt(oskrnl) without resorting to undocumented functions or enum values