get base address of a loaded dll

OSR_Community_User · September 21, 2004, 1:33pm

Hi All,

What’s the best way get a base address of a user mode loaded dll like kernel32.dll in a process from Kernel mode, other than going through the PEB table.

Thanks

Ashish

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

AFei · September 21, 2004, 6:54pm

NtQuerySystemInformation( SystemModuleInformation …) is what you want.

AFei

“ashish singh” wrote in message news:xxxxx@ntfsd…
Hi All,
What’s the best way get a base address of a user mode loaded dll like
kernel32.dll in a process from Kernel mode, other than going through the PEB
table.
Thanks
Ashish
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

OSR_Community_User · September 21, 2004, 7:22pm

AFei,
NtQuerySystemInformation only returns the base address of system dll like ntdll.dll what i need is to get base address of user dll like kernel32.dll.
Thanks
Ashish

AFei wrote:

NtQuerySystemInformation( SystemModuleInformation …) is what you want.

AFei

“ashish singh” wrote in message news:xxxxx@ntfsd…
Hi All,
What’s the best way get a base address of a user mode loaded dll like
kernel32.dll in a process from Kernel mode, other than going through the PEB
table.
Thanks
Ashish
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

AFei · September 21, 2004, 9:44pm

Hi Ashish,
For the user Dlls, as I know, SoftIce hooked the NtMapViewOfSection(…) to
monitor the dll loaded,
to do it, you need to deal with lots of undocumented stuff.
Since user Dlls are process context related, why not just get the base
address from user mode?
it’s much easier. In kernel it doesn’t make sense if you are not in the
process context.

AFei

“ashish singh” wrote in message news:xxxxx@ntfsd…
AFei,
NtQuerySystemInformation only returns the base address of system dll like
ntdll.dll what i need is to get base address of user dll like kernel32.dll.
Thanks
Ashish

AFei wrote:

NtQuerySystemInformation( SystemModuleInformation …) is what you want.

AFei

“ashish singh” wrote in message news:xxxxx@ntfsd…
Hi All,
What’s the best way get a base address of a user mode loaded dll like
kernel32.dll in a process from Kernel mode, other than going through the PEB
table.
Thanks
Ashish
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

OSR_Community_User · September 22, 2004, 10:22am

AFei,
Thanks for the reply. I am in the context of a process and basically want to get the base address of user mode dlls in that process. Specifly I am interested in getting the base address of kernel32.dll.
Thanks
Ashish

AFei wrote:
Hi Ashish,
For the user Dlls, as I know, SoftIce hooked the NtMapViewOfSection(…) to
monitor the dll loaded,
to do it, you need to deal with lots of undocumented stuff.
Since user Dlls are process context related, why not just get the base
address from user mode?
it’s much easier. In kernel it doesn’t make sense if you are not in the
process context.

AFei

“ashish singh” wrote in message news:xxxxx@ntfsd…
AFei,
NtQuerySystemInformation only returns the base address of system dll like
ntdll.dll what i need is to get base address of user dll like kernel32.dll.
Thanks
Ashish

AFei wrote:

NtQuerySystemInformation( SystemModuleInformation …) is what you want.

AFei

“ashish singh” wrote in message news:xxxxx@ntfsd…
Hi All,
What’s the best way get a base address of a user mode loaded dll like
kernel32.dll in a process from Kernel mode, other than going through the PEB
table.
Thanks
Ashish

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@yahoo.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

AFei · September 22, 2004, 1:44pm

Hi Ashish,

So did you try the following API?
NTSTATUS PsSetLoadImageNotifyRoutine( IN PLOAD_IMAGE_NOTIFY_ROUTINE
NotifyRoutine );
The idea is that since you can not get the “snapshot” on kernel32.dll, why
not just register
a notification routine to get it, simillar to the hooking of
MapViewOfSection.

By the way, this looks not related to the FSD, NTDEV should be the better
place to post.

Rgds,

AFei