Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

How to predict ntoskrnl.exe DirBase?

ZeniusZenius Member MODERATED Posts: 5
edited December 2018 in NTDEV

Hey there, I'm trying to predict the dirbase for ntoskrnl.exe. I definitely think this is possible because on restart my dirbase doesn't change, it seems like only on different Windows builds there are different dirbases. By the way, I'm trying to predict from usermode, not from kernel. Anyone have any ideas?

Comments

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,441
    via Email
    What bigger problem are you trying to solve? You can get auxklib to get the list of loaded modules, which includes ntos, and that gives the image base address.

    d

    Bent from my phone
    ________________________________
    From: Zenius
    Sent: Tuesday, December 11, 2018 7:26:32 AM
    To: Doron Holan
    Subject: [NTDEV] How to predict ntoskrnl.exe DirBase?

    OSR https://nam06.safelinks.protection.outlook.com/?url=https://community.osr.com/&data=02|01|[email protected]|62b8f1c7695b4df8544408d65f7d094e|72f988bf86f141af91ab2d7cd011db47|1|1|636801387966135812&sdata=USnm1kNwYj0fdEuSaVmKhuiH76uoR+g4VOCLiw6Er8o=&reserved=0
    Zenius started a new discussion: How to predict ntoskrnl.exe DirBase?

    Hey there, I'm trying to predict the dirbase for ntoskrnl.exe. I definitely think this is possible because on restart my dirbase doesn't change, it seems like only on different Windows builds there are different dirbases. Anyone have any ideas?
    d
  • ZeniusZenius Member MODERATED Posts: 5

    @Doron_Holan said:
    What bigger problem are you trying to solve? You can get auxklib to get the list of loaded modules, which includes ntos, and that gives the image base address.

    d

    Bent from my phone


    From: Zenius
    Sent: Tuesday, December 11, 2018 7:26:32 AM
    To: Doron Holan
    Subject: [NTDEV] How to predict ntoskrnl.exe DirBase?

    OSR https://nam06.safelinks.protection.outlook.com/?url=https://community.osr.com/&data=02|01|[email protected]|62b8f1c7695b4df8544408d65f7d094e|72f988bf86f141af91ab2d7cd011db47|1|1|636801387966135812&sdata=USnm1kNwYj0fdEuSaVmKhuiH76uoR+g4VOCLiw6Er8o=&reserved=0
    Zenius started a new discussion: How to predict ntoskrnl.exe DirBase?

    Hey there, I'm trying to predict the dirbase for ntoskrnl.exe. I definitely think this is possible because on restart my dirbase doesn't change, it seems like only on different Windows builds there are different dirbases. Anyone have any ideas?

    Not trying to get the image base address. I want the physical memory address for the directory base, otherwise known as dirbase. Simple as that.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,413

    I want the physical memory address for the directory base, otherwise known as dirbase. Simple as that.

    No, NOT "simple as that".... The natural question for us to ask is "WHY do you want to do this? What larger problem are you attempting to solve?"

    So, please do us the favor of answering those questions... and then we'll answer yours. Deal?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • ZeniusZenius Member MODERATED Posts: 5

    @Peter_Viscarola_(OSR) said:

    I want the physical memory address for the directory base, otherwise known as dirbase. Simple as that.

    No, NOT "simple as that".... The natural question for us to ask is "WHY do you want to do this? What larger problem are you attempting to solve?"

    So, please do us the favor of answering those questions... and then we'll answer yours. Deal?

    Peter

    I have physical memory access and I'd like to convert physical to virtual addresses also vice-versa. Now can we stop playing games? Does anyone know how to predict the dirbase (given its static per windows build) or not?

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,307
    via Email
    OK here you go, all you want is to convert a physical address to a virtual
    address? MmMapIoSpace, or it's cousin MmMapIoSpaceEx.

    Game on.

    Mark Roddy
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,068
    via Email
    Zenius wrote:
    >
    > I have physical memory access and I'd like to convert physical to virtual addresses also vice-versa. Now can we stop playing games? Does anyone know how to predict the dirbase (given its static per windows build) or not?

    No, I don't think we're through "playing games" yet.  There are damned
    few legitimate uses for this kind of information, and quite a number of
    malicious uses.  You haven't provided enough information yet to
    establish that your use case is legitimate. Until that point, I'm
    certainly not going to offer solutions.

    If that pisses you off, well, too bad.  All of the long-time members
    here are kernel professionals, and we have certain ethical standards. 
    If you're asking for exceptional information, then you need to an
    exceptional reason.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,413

    Now can we stop playing games

    Well, you can very specifically stop playing games. Because, you know, you're now on moderation... where I'll wait for you to answer my question to my satisfaction.

    Aside from that, I'm good, thanks.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • ZeniusZenius Member MODERATED Posts: 5

    @Tim_Roberts said:
    Zenius wrote:
    >
    > I have physical memory access and I'd like to convert physical to virtual addresses also vice-versa. Now can we stop playing games? Does anyone know how to predict the dirbase (given its static per windows build) or not?

    No, I don't think we're through "playing games" yet.  There are damned
    few legitimate uses for this kind of information, and quite a number of
    malicious uses.  You haven't provided enough information yet to
    establish that your use case is legitimate. Until that point, I'm
    certainly not going to offer solutions.

    If that pisses you off, well, too bad.  All of the long-time members
    here are kernel professionals, and we have certain ethical standards. 
    If you're asking for exceptional information, then you need to an
    exceptional reason.

    @Peter_Viscarola_(OSR) said:

    Now can we stop playing games

    Well, you can very specifically stop playing games. Because, you know, you're now on moderation... where I'll wait for you to answer my question to my satisfaction.

    Aside from that, I'm good, thanks.

    Peter

    I believe this is the reason you guys were dying to hear, not going to lie - extremely frustrating that I have to explain this and in my opinion none of your business. Nevertheless:

    I have found a physical memory read vulnerability in a popular driver, however, I want to make a working proof of concept before sending it in. See, I can read an arbitrary physical memory address, but that alone won't do crazy much. I've looked into the volatility framework, but I realized instead while debugging in WinDbg that my Dirbase doesn't change (after restart)! This gave me an idea, if I can predict this value (which doesn't seem that crazy hard), I can then convert between physical and virtual (kernel). I can then use this in combination with won't fix usermode kernel leaks (i.e the NtQuerySystemInformation EPROCESS leak) to make a cool PoC. Just having physical memory read is difficult to work off of but I believe it's possible.

    Does this satisfy your needs?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE