How to get base address of ntdll.dll under kernel Windows 8

Hello!

I need get pase address of ntdll.dll. For Windows 7 and lower I used
ZwQuerySystemInformation. But under Windows 8 ntdll.dll is invisible
for this function.
I have implemented another algorithm using ZwQuerySection. It correct
works on Windows 7, but it returns bad address for Windows 8. The
address defers from real base address on constant 0x30670.

Could anybody explain what is the problem ?
There is the code of my new algorithm implementation :

PVOID LookforNtdll( )
{
PVOID pDLL = NULL;
IO_STATUS_BLOCK IoStBlock;
UNICODE_STRING usLibraryName ;
OBJECT_ATTRIBUTES ObjAttrF;
NTSTATUS status = 0;
HANDLE hFile = INVALID_HANDLE_VALUE;
HANDLE hSect = INVALID_HANDLE_VALUE;
PSECTION_IMAGE_INFORMATION pB = NULL;

RtlInitUnicodeString ( &usLibraryName,
L"\DosDevices\c:\windows\system32\ntdll.dll" ) ;
InitializeObjectAttributes( &ObjAttrF, &usLibraryName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL );

status = ZwOpenFile(&hFile, GENERIC_READ, &ObjAttrF, &IoStBlock,
FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_NON_DIRECTORY_FILE );
if ( status == STATUS_SUCCESS ) {
UNICODE_STRING usSectName;
OBJECT_ATTRIBUTES ObjAttrS;
LARGE_INTEGER Size;

RtlInitUnicodeString ( &usSectName,
L"\BaseNamedObjects\NtDllSharedSection" ) ;
InitializeObjectAttributes ( &ObjAttrS, &usSectName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL ) ;

Size.HighPart = 0 ;
Size.LowPart = 0x1000 ;

status = ZwCreateSection ( &hSect, SECTION_ALL_ACCESS,
&ObjAttrS, &Size, PAGE_EXECUTE_READ, 0x1000000, hFile ) ;
if ( status == STATUS_SUCCESS ) {
ULONG bufSize = 0;

bufSize = Size.LowPart;
pB = ExAllocatePoolWithTag(NonPagedPool, bufSize, ‘Fnd2’ );
if (pB) {
status = ZwQuerySection ( hSect,
SectionImageInformation, pB, bufSize, &bufSize );
if (status == STATUS_SUCCESS)
pDLL = pB->EntryPoint ;
}
}
}
}

if (hFile != INVALID_HANDLE_VALUE)
ZwClose( hFile ) ;

if (hSect != INVALID_HANDLE_VALUE)
ZwClose( hSect ) ;

if (pB)
ExFreePool(pB);

return ( pDLL ) ;
}

Thanks
Valery

On Jul 11, 2015, at 10:01 AM, Valery Druba wrote:
>
> I need get pase address of ntdll.dll.

Why?

> For Windows 7 and lower I used
> ZwQuerySystemInformation. But under Windows 8 ntdll.dll is invisible
> for this function.
> I have implemented another algorithm using ZwQuerySection. It correct
> works on Windows 7, but it returns bad address for Windows 8. The
> address defers from real base address on constant 0x30670.
>
> Could anybody explain what is the problem ?

The problem, of course, is that you are attempting to rely on undocumented implementation details. You can find entry points in ntdll.dll by linking with them, although that won’t help you find its PE headers.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> I need get pase address of ntdll.dll.

Can GetModuleHandle help?


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

Thank you, Maxim, but I need base address in the kernel.

7/12/2015 2:45 AM, Maxim S. Shatskih пишет:

> I need get pase address of ntdll.dll.
Can GetModuleHandle help?

If you register LoadImageNotify callback from your kernel component, you
can get the base address whenever ntdll.dll is loaded.

On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba
wrote:

> Thank you, Maxim, but I need base address in the kernel.
>
> 7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
>
>> I need get pase address of ntdll.dll.
>>>
>> Can GetModuleHandle help?
>>
>>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Exactly. I use PsSetLoadImageNotifyRoutine and get IMAGE_INFO structure
for ntdll.dll. But there is the same case.
ImageBase field defers from real base address on 0x30670

ImageBase = 0x00007ffa14480000, but real address is 0x00007ffa144b0670

Thanks
Valery

If you register LoadImageNotify callback from your kernel component,
you can get the base address whenever ntdll.dll is loaded.

On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba
> wrote:
>
> Thank you, Maxim, but I need base address in the kernel.
>
> 7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
>
> I need get pase address of ntdll.dll.
>
> Can GetModuleHandle help?
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe,
> visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

0x00007ffa`144b0670 cant be a base address, it’s some address within module.

you can check it using lmvm ntdll.dll command .

|

|
Exactly. I use PsSetLoadImageNotifyRoutine and get IMAGE_INFO structure for ntdll.dll. But there is the same case. 

ImageBase field defers from real base address on 0x30670

ImageBase = 0x00007ffa14480000, but real address is 0x00007ffa144b0670

Thanks

Valery

If you register LoadImageNotify callback from your kernel component, you can get the base address whenever ntdll.dll is loaded.

On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba <xxxxx@gmail.com> wrote:

Thank you, Maxim, but I need base address in the kernel.

7/12/2015 2:45 AM, Maxim S. Shatskih пишет:

I need get pase address of ntdll.dll.

Can GetModuleHandle help?


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!!  See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— 

NTDEV is sponsored by OSR 

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev&nbsp;

OSR is HIRING!! See http://www.osr.com/careers&nbsp;

For our schedule of WDF, WDM, debugging and other seminars visit: 

http://www.osr.com/seminars&nbsp;

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer&nbsp; |

_– 

С уважением,

 Михаил                          mailto:xxxxx@mail.ru_

Valey,

How do you know that 0x00007ffa`144b0670 is real? It’s not page aligned and looks more like an entry point rather than a base address.

Thanks all for answers!

I’m closing my question, because found a mistake :frowning:

Thanks
Valery

Re: [ntdev] How to get base address of ntdll.dll under kernel Windows
8 0x00007ffa`144b0670 cant be a base address, it’s some address within
module.
you can check it using lmvm ntdll.dll command .

Exactly. I use PsSetLoadImageNotifyRoutine and get IMAGE_INFO
structure for ntdll.dll. But there is the same case.
ImageBase field defers from real base address on 0x30670

ImageBase = 0x00007ffa14480000, but real address is 0x00007ffa144b0670

Thanks
Valery

If you register LoadImageNotify callback from your kernel component,
you can get the base address whenever ntdll.dll is loaded.

On Sun, Jul 12, 2015 at 11:36 AM, Valery Druba
> wrote:
> Thank you, Maxim, but I need base address in the kernel.
>
> 7/12/2015 2:45 AM, Maxim S. Shatskih пишет:
> I need get pase address of ntdll.dll.
> Can GetModuleHandle help?
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe,
> visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
>
> /–
> С уважением,
> Михаил mailto:xxxxx@mail.ru
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer /

your algorithm not the best. not need open file. section \KnownDlls\ntdll.dll already exist

NTSTATUS LookforNtdll(void** ppv)
{
NTSTATUS status;
STATIC_OBJECT_ATTRIBUTES(oa, “\KnownDlls\ntdll.dll”);
HANDLE hSection;
if (0 <= (status = ZwOpenSection(&hSection, SECTION_QUERY, &oa)))
{
SECTION_IMAGE_INFORMATION sii;
if (0 <= (status = ZwQuerySection(hSection, SectionImageInformation, &sii, sizeof(sii), 0)))
{
*ppv = sii.TransferAddress;
}
ZwClose(hSection);
}

return status;
}