Get windows's boot image path from a driver

MIsha_Paranski · June 29, 2017, 4:02am

Hi, is there a possible way of getting the windows image path in runtime from a driver?

I tried to ‘procmon’ the utility ‘bcdedit’, but it seems that it reads its values from some random garbage keys in the registry under ‘BCD00000’.

I would like to be able to get for instance the path: “C:\Windows\ntoskrnl.exe”, or,
if someone changed my image and renamed it to something else:
“D:\this_is_the_new_boot_location\foo.exe”

I need this to calculate MD5 on the image in runtime, from my driver.

Thanks.

Mikae · June 29, 2017, 7:25am

I am not quite sure that I’ve got the question but it looks that you need \SystemRoot symbolic link.

MIsha_Paranski · June 29, 2017, 7:36am

I’ll be more precise:
using AuxKlibQueryModuleInformation() and taking the first module in the array is a possible solution. The problem is i don’t want to rely on the kernel’s location in AuxKlibQueryModuleInformation() array.