strange issue with getting driver base address

Hello, I am trying to get a kernel image base address by walking through PsLoadedModuleList. I have a strange access violation bugcheck in RtlDowncaseUnicodeString + 0x4D. Strangely, my code works perfectly on someone else’s machine.

` `` PVOID GetDriverBaseAddress(OUT PULONG pSize, UNICODE_STRING DriverName)
{
DbgPrint(“requested module name %wZ \n”, driverName);

    PLIST_ENTRY moduleList = (PLIST_ENTRY)PsLoadedModuleList;

    UNICODE_STRING  DrvName;

    for (PLIST_ENTRY link = moduleList;
        link != moduleList->Blink;
        link = link->Flink)
    {
        PLDR_DATA_TABLE_ENTRY entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);

        RtlDowncaseUnicodeString(&DrvName, &entry->BaseDllName, TRUE);

        DbgPrint("module name %wZ \n", entry->BaseDllName);

        if (RtlCompareUnicodeString(&driverName, &DrvName, false) == 0)
        {
            DbgPrint("module found, size %i  base address %p \n", entry->SizeOfImage, entry->DllBase);

            if (pSize && MmIsAddressValid(pSize))
            {
                *pSize = entry->SizeOfImage;
            }

            return entry->DllBase;
        }

        RtlFreeUnicodeString(&DrvName);
    }

    return 0;
}

I am trying to get a kernel image base address by walking through PsLoadedModuleList.

Why?

Peter

@“Peter_Viscarola_(OSR)” said:

I am trying to get a kernel image base address by walking through PsLoadedModuleList.

Why?

Peter

I’m working on a hypervisor for dynamically analyzing driver images, so I need to find image base address for stealth hooking.

Is it possible this is running at a raised IRQL? It’s well known that the Unicode translation tables all live in paged memory and require PASSIVE_LEVEL. If you have driver verifier running, it aggressively pages out paged memory to force these kinds of errors.

I’m working on a hypervisor for dynamically analyzing driver images, so I need to find image base address for stealth hooking

Something tells me that you are not going to last long in this NG with the projects like that. After all, it sounds like just a classical
description of Blue Pill-style rootkit…

Anton Bassov

You don’t check the return status of RtlDowncaseUnicodeString, you most likely don’t run at < DISPATCH_LEVEL, you don’t disable the APCs and lock the _RESOURCE* object (PsLoadedModuleResource) used to synchronize access to the PsLoadedModuleList, etc…

If you’re going to mess with undocumented lists and functions, you should at least understand how it works… instead of pasting everything together from some rootkit code you’ve found on github.

Something tells me that you are not going to last long in this NG

Some tells me Mr. Bassov has seen the future.

Just sayin,

Peter

So I decided to check IRQL as suggested by some people in this thread, and IRQL is PASSIVE_LEVEL

@anton_bassov said:

I’m working on a hypervisor for dynamically analyzing driver images, so I need to find image base address for stealth hooking

Something tells me that you are not going to last long in this NG with the projects like that. After all, it sounds like just a classical
description of Blue Pill-style rootkit…

Anton Bassov

Virtualization-based Security in Windows is based on the ideas devised by Blue Pill.
Not everything that is based on rootkit in general or Blue Pill in particular is necessary bad.

Problem is the use of undocumented structures.
Using HW virtualization to intercept certain events is totally ok if you are able to implement it correctly.

@Qwert664 said:
So I decided to check IRQL as suggested by some people in this thread, and IRQL is PASSIVE_LEVEL

If you do that in vmexit callback IRQL doesn’t matter - interrupts are disabled completely

@Sergey_Pisarev said:

@Qwert664 said:
So I decided to check IRQL as suggested by some people in this thread, and IRQL is PASSIVE_LEVEL

If you do that in vmexit callback IRQL doesn’t matter - interrupts are disabled completely

I’m not doing this in vmexit handler, in fact I’m actually testing this piece of code completely seperately from the main project. My suspicion was that the offsets for structs changed, however I checked in windbg and this was not the case.

EDIT: The problem was caused by#include <pshpack1>, which messed up some struct alignment. I removed this header include and everything works perfectly now. Thanks for all the replies.

Problem is the use of undocumented structures.

Actually, I am more “impressed” by “stealth hooking” part. The use of undocumented structures in itself is not necessarily a sign of malicious intentions (although it is most definitely not a sign of good engineering habits either, especially if some “supported” alternatives are available). However, the willingness to become transparent to the OS is “rather suspicious”…

Anton Bassov

Hello, I am trying to get a kernel image base address by walking through PsLoadedModuleList

Why don’t you use AuxKlibQueryModuleInformation which is documented for this purpose ?
//Daniel

Why don’t you use AuxKlibQueryModuleInformation which is documented for this purpose ?

The most likely scenario is that, in his pursuit of “stealth hooking”, the OP simply wants to unlink his module from PsLoadedModuleList,
i.e. to do the trick that had been described by Mr.Hoglund and Mr.Butler in “Subverting the Windows kernel” more than 15 years ago

Anton Bassov