Hello!
I need get pase address of ntdll.dll. For Windows 7 and lower I used
ZwQuerySystemInformation. But under Windows 8 ntdll.dll is invisible
for this function.
I have implemented another algorithm using ZwQuerySection. It correct
works on Windows 7, but it returns bad address for Windows 8. The
address defers from real base address on constant 0x30670.
Could anybody explain what is the problem ?
There is the code of my new algorithm implementation :
PVOID LookforNtdll( )
{
PVOID pDLL = NULL;
IO_STATUS_BLOCK IoStBlock;
UNICODE_STRING usLibraryName ;
OBJECT_ATTRIBUTES ObjAttrF;
NTSTATUS status = 0;
HANDLE hFile = INVALID_HANDLE_VALUE;
HANDLE hSect = INVALID_HANDLE_VALUE;
PSECTION_IMAGE_INFORMATION pB = NULL;
RtlInitUnicodeString ( &usLibraryName,
L"\\DosDevices\\c:\\windows\\system32\\ntdll.dll" ) ;
InitializeObjectAttributes( &ObjAttrF, &usLibraryName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL );
status = ZwOpenFile(&hFile, GENERIC_READ, &ObjAttrF, &IoStBlock,
FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_NON_DIRECTORY_FILE );
if ( status == STATUS_SUCCESS ) {
UNICODE_STRING usSectName;
OBJECT_ATTRIBUTES ObjAttrS;
LARGE_INTEGER Size;
RtlInitUnicodeString ( &usSectName,
L"\\BaseNamedObjects\\NtDllSharedSection" ) ;
InitializeObjectAttributes ( &ObjAttrS, &usSectName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL ) ;
Size.HighPart = 0 ;
Size.LowPart = 0x1000 ;
status = ZwCreateSection ( &hSect, SECTION_ALL_ACCESS,
&ObjAttrS, &Size, PAGE_EXECUTE_READ, 0x1000000, hFile ) ;
if ( status == STATUS_SUCCESS ) {
ULONG bufSize = 0;
bufSize = Size.LowPart;
pB = ExAllocatePoolWithTag(NonPagedPool, bufSize, 'Fnd2' );
if (pB) {
status = ZwQuerySection ( hSect,
SectionImageInformation, pB, bufSize, &bufSize );
if (status == STATUS_SUCCESS)
pDLL = pB->EntryPoint ;
}
}
}
}
if (hFile != INVALID_HANDLE_VALUE)
ZwClose( hFile ) ;
if (hSect != INVALID_HANDLE_VALUE)
ZwClose( hSect ) ;
if (pB)
ExFreePool(pB);
return ( pDLL ) ;
}
Thanks
Valery
0 ·
Comments
>
> I need get pase address of ntdll.dll.
Why?
> For Windows 7 and lower I used
> ZwQuerySystemInformation. But under Windows 8 ntdll.dll is invisible
> for this function.
> I have implemented another algorithm using ZwQuerySection. It correct
> works on Windows 7, but it returns bad address for Windows 8. The
> address defers from real base address on constant 0x30670.
>
> Could anybody explain what is the problem ?
The problem, of course, is that you are attempting to rely on undocumented implementation details. You can find entry points in ntdll.dll by linking with them, although that won’t help you find its PE headers.
—
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Can GetModuleHandle help?
--
Maxim S. Shatskih
Microsoft MVP on File System And Storage
[email protected]
http://www.storagecraft.com
7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
>> I need get pase address of ntdll.dll.
> Can GetModuleHandle help?
>
can get the base address whenever ntdll.dll is loaded.
On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba
wrote:
> Thank you, Maxim, but I need base address in the kernel.
>
> 7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
>
>> I need get pase address of ntdll.dll.
>>>
>> Can GetModuleHandle help?
>>
>>
>
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
for ntdll.dll. But there is the same case.
ImageBase field defers from real base address on 0x30670
ImageBase = 0x00007ffa`14480000, but real address is 0x00007ffa`144b0670
Thanks
Valery
> If you register LoadImageNotify callback from your kernel component,
> you can get the base address whenever ntdll.dll is loaded.
>
> On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba
> > wrote:
>
> Thank you, Maxim, but I need base address in the kernel.
>
> 7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
>
> I need get pase address of ntdll.dll.
>
> Can GetModuleHandle help?
>
>
>
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> --- NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe,
> visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
0x00007ffa`144b0670 cant be a base address, it's some address within module.
you can check it using lmvm ntdll.dll command .
ImageBase field defers from real base address on 0x30670
ImageBase = 0x00007ffa`14480000, but real address is 0x00007ffa`144b0670
Thanks
Valery
If you register LoadImageNotify callback from your kernel component, you can get the base address whenever ntdll.dll is loaded.
On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba <[email protected]> wrote:
Thank you, Maxim, but I need base address in the kernel.
7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
I need get pase address of ntdll.dll.
Can GetModuleHandle help?
---
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
--- NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
---
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
--
С уважением,
Михаил mailto:[email protected]
How do you know that 0x00007ffa`144b0670 is real? It's not page aligned and looks more like an entry point rather than a base address.
I'm closing my question, because found a mistake
Thanks
Valery
> Re: [ntdev] How to get base address of ntdll.dll under kernel Windows
> 8 0x00007ffa`144b0670 cant be a base address, it's some address within
> module.
> you can check it using lmvm ntdll.dll command .
>
>
> Exactly. I use PsSetLoadImageNotifyRoutine and get IMAGE_INFO
> structure for ntdll.dll. But there is the same case.
> ImageBase field defers from real base address on 0x30670
>
> ImageBase = 0x00007ffa`14480000, but real address is 0x00007ffa`144b0670
>
> Thanks
> Valery
>
>
> If you register LoadImageNotify callback from your kernel component,
> you can get the base address whenever ntdll.dll is loaded.
>
> On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba
> > wrote:
> Thank you, Maxim, but I need base address in the kernel.
>
> 7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
> I need get pase address of ntdll.dll.
> Can GetModuleHandle help?
>
>
>
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> --- NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe,
> visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
>
> /--
> С уважением,
> Михаил mailto:[email protected]
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer /
NTSTATUS LookforNtdll(void** ppv)
{
NTSTATUS status;
STATIC_OBJECT_ATTRIBUTES(oa, "\\KnownDlls\\ntdll.dll");
HANDLE hSection;
if (0 <= (status = ZwOpenSection(&hSection, SECTION_QUERY, &oa)))
{
SECTION_IMAGE_INFORMATION sii;
if (0 <= (status = ZwQuerySection(hSection, SectionImageInformation, &sii, sizeof(sii), 0)))
{
*ppv = sii.TransferAddress;
}
ZwClose(hSection);
}
return status;
}