Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
How to get base address of ntdll.dll under kernel Windows 8
Valery_Druba
Member Posts: 27
in NTDEV
Hello!
I need get pase address of ntdll.dll. For Windows 7 and lower I used
ZwQuerySystemInformation. But under Windows 8 ntdll.dll is invisible
for this function.
I have implemented another algorithm using ZwQuerySection. It correct
works on Windows 7, but it returns bad address for Windows 8. The
address defers from real base address on constant 0x30670.
Could anybody explain what is the problem ?
There is the code of my new algorithm implementation :
PVOID LookforNtdll( )
{
PVOID pDLL = NULL;
IO_STATUS_BLOCK IoStBlock;
UNICODE_STRING usLibraryName ;
OBJECT_ATTRIBUTES ObjAttrF;
NTSTATUS status = 0;
HANDLE hFile = INVALID_HANDLE_VALUE;
HANDLE hSect = INVALID_HANDLE_VALUE;
PSECTION_IMAGE_INFORMATION pB = NULL;
RtlInitUnicodeString ( &usLibraryName,
L"\\DosDevices\\c:\\windows\\system32\\ntdll.dll" ) ;
InitializeObjectAttributes( &ObjAttrF, &usLibraryName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL );
status = ZwOpenFile(&hFile, GENERIC_READ, &ObjAttrF, &IoStBlock,
FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_NON_DIRECTORY_FILE );
if ( status == STATUS_SUCCESS ) {
UNICODE_STRING usSectName;
OBJECT_ATTRIBUTES ObjAttrS;
LARGE_INTEGER Size;
RtlInitUnicodeString ( &usSectName,
L"\\BaseNamedObjects\\NtDllSharedSection" ) ;
InitializeObjectAttributes ( &ObjAttrS, &usSectName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL ) ;
Size.HighPart = 0 ;
Size.LowPart = 0x1000 ;
status = ZwCreateSection ( &hSect, SECTION_ALL_ACCESS,
&ObjAttrS, &Size, PAGE_EXECUTE_READ, 0x1000000, hFile ) ;
if ( status == STATUS_SUCCESS ) {
ULONG bufSize = 0;
bufSize = Size.LowPart;
pB = ExAllocatePoolWithTag(NonPagedPool, bufSize, 'Fnd2' );
if (pB) {
status = ZwQuerySection ( hSect,
SectionImageInformation, pB, bufSize, &bufSize );
if (status == STATUS_SUCCESS)
pDLL = pB->EntryPoint ;
}
}
}
}
if (hFile != INVALID_HANDLE_VALUE)
ZwClose( hFile ) ;
if (hSect != INVALID_HANDLE_VALUE)
ZwClose( hSect ) ;
if (pB)
ExFreePool(pB);
return ( pDLL ) ;
}
Thanks
Valery
I need get pase address of ntdll.dll. For Windows 7 and lower I used
ZwQuerySystemInformation. But under Windows 8 ntdll.dll is invisible
for this function.
I have implemented another algorithm using ZwQuerySection. It correct
works on Windows 7, but it returns bad address for Windows 8. The
address defers from real base address on constant 0x30670.
Could anybody explain what is the problem ?
There is the code of my new algorithm implementation :
PVOID LookforNtdll( )
{
PVOID pDLL = NULL;
IO_STATUS_BLOCK IoStBlock;
UNICODE_STRING usLibraryName ;
OBJECT_ATTRIBUTES ObjAttrF;
NTSTATUS status = 0;
HANDLE hFile = INVALID_HANDLE_VALUE;
HANDLE hSect = INVALID_HANDLE_VALUE;
PSECTION_IMAGE_INFORMATION pB = NULL;
RtlInitUnicodeString ( &usLibraryName,
L"\\DosDevices\\c:\\windows\\system32\\ntdll.dll" ) ;
InitializeObjectAttributes( &ObjAttrF, &usLibraryName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL );
status = ZwOpenFile(&hFile, GENERIC_READ, &ObjAttrF, &IoStBlock,
FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_NON_DIRECTORY_FILE );
if ( status == STATUS_SUCCESS ) {
UNICODE_STRING usSectName;
OBJECT_ATTRIBUTES ObjAttrS;
LARGE_INTEGER Size;
RtlInitUnicodeString ( &usSectName,
L"\\BaseNamedObjects\\NtDllSharedSection" ) ;
InitializeObjectAttributes ( &ObjAttrS, &usSectName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL ) ;
Size.HighPart = 0 ;
Size.LowPart = 0x1000 ;
status = ZwCreateSection ( &hSect, SECTION_ALL_ACCESS,
&ObjAttrS, &Size, PAGE_EXECUTE_READ, 0x1000000, hFile ) ;
if ( status == STATUS_SUCCESS ) {
ULONG bufSize = 0;
bufSize = Size.LowPart;
pB = ExAllocatePoolWithTag(NonPagedPool, bufSize, 'Fnd2' );
if (pB) {
status = ZwQuerySection ( hSect,
SectionImageInformation, pB, bufSize, &bufSize );
if (status == STATUS_SUCCESS)
pDLL = pB->EntryPoint ;
}
}
}
}
if (hFile != INVALID_HANDLE_VALUE)
ZwClose( hFile ) ;
if (hSect != INVALID_HANDLE_VALUE)
ZwClose( hSect ) ;
if (pB)
ExFreePool(pB);
return ( pDLL ) ;
}
Thanks
Valery
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Writing WDF Drivers | 12 September 2022 | Live, Online |
| Internals & Software Drivers | 23 October 2022 | Live, Online |
| Kernel Debugging | 14 November 2022 | Live, Online |
| Developing Minifilters | 5 December 2022 | Live, Online |
Comments
>
> I need get pase address of ntdll.dll.
Why?
> For Windows 7 and lower I used
> ZwQuerySystemInformation. But under Windows 8 ntdll.dll is invisible
> for this function.
> I have implemented another algorithm using ZwQuerySection. It correct
> works on Windows 7, but it returns bad address for Windows 8. The
> address defers from real base address on constant 0x30670.
>
> Could anybody explain what is the problem ?
The problem, of course, is that you are attempting to rely on undocumented implementation details. You can find entry points in ntdll.dll by linking with them, although that won’t help you find its PE headers.
—
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Can GetModuleHandle help?
--
Maxim S. Shatskih
Microsoft MVP on File System And Storage
[email protected]
http://www.storagecraft.com
7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
>> I need get pase address of ntdll.dll.
> Can GetModuleHandle help?
>
can get the base address whenever ntdll.dll is loaded.
On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba
wrote:
> Thank you, Maxim, but I need base address in the kernel.
>
> 7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
>
>> I need get pase address of ntdll.dll.
>>>
>> Can GetModuleHandle help?
>>
>>
>
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
for ntdll.dll. But there is the same case.
ImageBase field defers from real base address on 0x30670
ImageBase = 0x00007ffa`14480000, but real address is 0x00007ffa`144b0670
Thanks
Valery
> If you register LoadImageNotify callback from your kernel component,
> you can get the base address whenever ntdll.dll is loaded.
>
> On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba
> > wrote:
>
> Thank you, Maxim, but I need base address in the kernel.
>
> 7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
>
> I need get pase address of ntdll.dll.
>
> Can GetModuleHandle help?
>
>
>
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> --- NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe,
> visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
0x00007ffa`144b0670 cant be a base address, it's some address within module.
you can check it using lmvm ntdll.dll command .
ImageBase field defers from real base address on 0x30670
ImageBase = 0x00007ffa`14480000, but real address is 0x00007ffa`144b0670
Thanks
Valery
If you register LoadImageNotify callback from your kernel component, you can get the base address whenever ntdll.dll is loaded.
On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba <[email protected]> wrote:
Thank you, Maxim, but I need base address in the kernel.
7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
I need get pase address of ntdll.dll.
Can GetModuleHandle help?
---
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
--- NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
---
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
--
С уважением,
Михаил mailto:[email protected]
How do you know that 0x00007ffa`144b0670 is real? It's not page aligned and looks more like an entry point rather than a base address.
I'm closing my question, because found a mistake
Thanks
Valery
> Re: [ntdev] How to get base address of ntdll.dll under kernel Windows
> 8 0x00007ffa`144b0670 cant be a base address, it's some address within
> module.
> you can check it using lmvm ntdll.dll command .
>
>
> Exactly. I use PsSetLoadImageNotifyRoutine and get IMAGE_INFO
> structure for ntdll.dll. But there is the same case.
> ImageBase field defers from real base address on 0x30670
>
> ImageBase = 0x00007ffa`14480000, but real address is 0x00007ffa`144b0670
>
> Thanks
> Valery
>
>
> If you register LoadImageNotify callback from your kernel component,
> you can get the base address whenever ntdll.dll is loaded.
>
> On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba
> > wrote:
> Thank you, Maxim, but I need base address in the kernel.
>
> 7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
> I need get pase address of ntdll.dll.
> Can GetModuleHandle help?
>
>
>
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> --- NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe,
> visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
>
> /--
> С уважением,
> Михаил mailto:[email protected]
> ---
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer /
NTSTATUS LookforNtdll(void** ppv)
{
NTSTATUS status;
STATIC_OBJECT_ATTRIBUTES(oa, "\\KnownDlls\\ntdll.dll");
HANDLE hSection;
if (0 <= (status = ZwOpenSection(&hSection, SECTION_QUERY, &oa)))
{
SECTION_IMAGE_INFORMATION sii;
if (0 <= (status = ZwQuerySection(hSection, SectionImageInformation, &sii, sizeof(sii), 0)))
{
*ppv = sii.TransferAddress;
}
ZwClose(hSection);
}
return status;
}