The solution is very simple however not 100% stable. As long as the driver is not being “hidden”, you can enumerate the loaded device drivers via ZwQuerySystemInformation with the SystemModuleInformation class.
This will provide you with the base addresses among many other details for the modules of NTOSKRNL (Windows Kernel - device drivers are of course under the Windows Kernel).
You need to iterate through each entry returned and compare if the base address of the currently checked driver has a base address which is less than the address you are trying to track back to a specific target and if the next entry has a base address which is more than the address you are trying to track.
For example:
- Driver X has a routine at address XXXXX
- Driver B has a base address of XXXXX and it is less than the address of the routine we have the address for which belongs to Driver X, however, the address for the routine in Driver X is also less than the base address of Driver C (Driver C being the next entry up from the driver we are currently checking).
- Now we know that the address we are checking resides within the address space of Driver B.
You can do this with minimal effort really, and despite SystemModuleInformation being undocumented, it can work nicely. Just make sure that the routine exists for the environment, I believe Microsoft removed it as being exported for Windows 8 (I cannot remember) however it exists on Windows 10.
In regards to ReactOS, Don is 100% correct. It has not been updated for many, many years… And a LOT has changed with the modern Windows Kernel. As well as this, it is “open-source” and I doubt your project is, and copy-pasting blatantly will teach you nothing but how to make an awful project which will face many issues which you won’t be able to resolve.
There is no need to “re-invent the wheel”. There are many anti-rootkit scanners already, and you are wasting your time because rootkits have not been “prevalent” in the wild for an extremely long time. Especially since now everyone is moving to 64-bit if they already haven’t due to the benefits, and 64-bit versions of Windows have had PatchGuard for a long time.
Ransomware is prevalent in the wild, it would likely be in your best interest to focus on behavioural analysis for preventing the encryption payload of ransomware instead of making an anti-rootkit scanner nowadays. At-least, if you want to make a project which will be actively used. On that note, you will have access to many documented interfaces for doing such a task, like a File System Mini-Filter device driver with FltRegisterFilter.
Anyway, maybe this will help you. Good luck with your project!