Hey there, I’m trying to predict the dirbase for ntoskrnl.exe. I definitely think this is possible because on restart my dirbase doesn’t change, it seems like only on different Windows builds there are different dirbases. By the way, I’m trying to predict from usermode, not from kernel. Anyone have any ideas?
What bigger problem are you trying to solve? You can get auxklib to get the list of loaded modules, which includes ntos, and that gives the image base address.
d
Bent from my phone
From: Zenius
Sent: Tuesday, December 11, 2018 7:26:32 AM
To: Doron Holan
Subject: [NTDEV] How to predict ntoskrnl.exe DirBase?
OSR https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.osr.com%2F&data=02|01|doron.holan%40microsoft.com|62b8f1c7695b4df8544408d65f7d094e|72f988bf86f141af91ab2d7cd011db47|1|1|636801387966135812&sdata=USnm1kNwYj0fdEuSaVmKhuiH76uoR%2Bg4VOCLiw6Er8o%3D&reserved=0
Zenius started a new discussion: How to predict ntoskrnl.exe DirBase?
Hey there, I’m trying to predict the dirbase for ntoskrnl.exe. I definitely think this is possible because on restart my dirbase doesn’t change, it seems like only on different Windows builds there are different dirbases. Anyone have any ideas?
@Doron_Holan said:
What bigger problem are you trying to solve? You can get auxklib to get the list of loaded modules, which includes ntos, and that gives the image base address.d
Bent from my phone
From: Zenius
Sent: Tuesday, December 11, 2018 7:26:32 AM
To: Doron Holan
Subject: [NTDEV] How to predict ntoskrnl.exe DirBase?OSR https://nam06.safelinks.protection.outlook.com/?url=https://community.osr.com/&data=02|01|doron.holan@microsoft.com|62b8f1c7695b4df8544408d65f7d094e|72f988bf86f141af91ab2d7cd011db47|1|1|636801387966135812&sdata=USnm1kNwYj0fdEuSaVmKhuiH76uoR+g4VOCLiw6Er8o=&reserved=0
Zenius started a new discussion: How to predict ntoskrnl.exe DirBase?Hey there, I’m trying to predict the dirbase for ntoskrnl.exe. I definitely think this is possible because on restart my dirbase doesn’t change, it seems like only on different Windows builds there are different dirbases. Anyone have any ideas?
Not trying to get the image base address. I want the physical memory address for the directory base, otherwise known as dirbase. Simple as that.
I want the physical memory address for the directory base, otherwise known as dirbase. Simple as that.
No, NOT “simple as that”… The natural question for us to ask is “WHY do you want to do this? What larger problem are you attempting to solve?”
So, please do us the favor of answering those questions… and then we’ll answer yours. Deal?
Peter
@“Peter_Viscarola_(OSR)” said:
I want the physical memory address for the directory base, otherwise known as dirbase. Simple as that.
No, NOT “simple as that”… The natural question for us to ask is “WHY do you want to do this? What larger problem are you attempting to solve?”
So, please do us the favor of answering those questions… and then we’ll answer yours. Deal?
Peter
I have physical memory access and I’d like to convert physical to virtual addresses also vice-versa. Now can we stop playing games? Does anyone know how to predict the dirbase (given its static per windows build) or not?
OK here you go, all you want is to convert a physical address to a virtual
address? MmMapIoSpace, or it’s cousin MmMapIoSpaceEx.
Game on.
Mark Roddy
Zenius wrote:
I have physical memory access and I’d like to convert physical to virtual addresses also vice-versa. Now can we stop playing games? Does anyone know how to predict the dirbase (given its static per windows build) or not?
No, I don’t think we’re through “playing games” yet. There are damned
few legitimate uses for this kind of information, and quite a number of
malicious uses. You haven’t provided enough information yet to
establish that your use case is legitimate. Until that point, I’m
certainly not going to offer solutions.
If that pisses you off, well, too bad. All of the long-time members
here are kernel professionals, and we have certain ethical standards.
If you’re asking for exceptional information, then you need to an
exceptional reason.
Now can we stop playing games
Well, you can very specifically stop playing games. Because, you know, you’re now on moderation… where I’ll wait for you to answer my question to my satisfaction.
Aside from that, I’m good, thanks.
Peter
@Tim_Roberts said:
Zenius wrote:I have physical memory access and I’d like to convert physical to virtual addresses also vice-versa. Now can we stop playing games? Does anyone know how to predict the dirbase (given its static per windows build) or not?
No, I don’t think we’re through “playing games” yet. There are damned
few legitimate uses for this kind of information, and quite a number of
malicious uses. You haven’t provided enough information yet to
establish that your use case is legitimate. Until that point, I’m
certainly not going to offer solutions.If that pisses you off, well, too bad. All of the long-time members
here are kernel professionals, and we have certain ethical standards.
If you’re asking for exceptional information, then you need to an
exceptional reason.
@“Peter_Viscarola_(OSR)” said:
Now can we stop playing games
Well, you can very specifically stop playing games. Because, you know, you’re now on moderation… where I’ll wait for you to answer my question to my satisfaction.
Aside from that, I’m good, thanks.
Peter
I believe this is the reason you guys were dying to hear, not going to lie - extremely frustrating that I have to explain this and in my opinion none of your business. Nevertheless:
I have found a physical memory read vulnerability in a popular driver, however, I want to make a working proof of concept before sending it in. See, I can read an arbitrary physical memory address, but that alone won’t do crazy much. I’ve looked into the volatility framework, but I realized instead while debugging in WinDbg that my Dirbase doesn’t change (after restart)! This gave me an idea, if I can predict this value (which doesn’t seem that crazy hard), I can then convert between physical and virtual (kernel). I can then use this in combination with won’t fix usermode kernel leaks (i.e the NtQuerySystemInformation EPROCESS leak) to make a cool PoC. Just having physical memory read is difficult to work off of but I believe it’s possible.
Does this satisfy your needs?