GetProcAddress analog

I want my driver to be binary compatible with NT/W2K/XP. I need to implement
UM GetProcAddress analog. It’s gonna be much easier though, for I need only
functions from ntoskrnl.exe.

Is it true that ntoskrnl.exe is always loaded on the same address? If true
what is it? Will I have problems accessing memory occupied by ntoskrnl.exe?
Does any one know if there is some sources publicly available? Or can
someone give me some points on the subject?

Thanks in advance.

Win2k and above:

NTKERNELAPI
PVOID
MmGetSystemRoutineAddress (
IN PUNICODE_STRING SystemRoutineName
);

No equivalent on NT 4 that I know of.

-----Original Message-----
From: Alexey Logachyov [mailto:xxxxx@vba.com.by]
Sent: Tuesday, June 25, 2002 5:53 AM
To: NT Developers Interest List
Subject: [ntdev] GetProcAddress analog

I want my driver to be binary compatible with NT/W2K/XP. I need to
implement
UM GetProcAddress analog. It’s gonna be much easier though, for I need
only
functions from ntoskrnl.exe.

Is it true that ntoskrnl.exe is always loaded on the same address? If
true
what is it? Will I have problems accessing memory occupied by
ntoskrnl.exe?
Does any one know if there is some sources publicly available? Or can
someone give me some points on the subject?

Thanks in advance.

You are currently subscribed to ntdev as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%

>> Is it true that ntoskrnl.exe is always loaded on the same address?

No, it is not. For example, there can be Win2k+ systems where the user space
is 3Gb instead of 2.

> give me some points on the subject?

You can use ZwQuerySystemInformation with system information set to
SystemModuleInformation to get
the base address of ntoskrnl.

From here , all is trivial. Parse the PE header manualy to locate the export
directory, then parse the exports to find by name the routine which you
want, and fetch its address. Youll need a PE image reference, use MS
official one , its on WEB. You should not have any problems accessing the
memory, providing you are corectly interpreting the PE structure tables.
Anyway , you can always encapsulate your routine in __try // __except to
catch exceptions.

----- Original Message -----
From: “Alexey Logachyov”
To: “NT Developers Interest List”
Sent: Tuesday, June 25, 2002 1:52 PM
Subject: [ntdev] GetProcAddress analog

> I want my driver to be binary compatible with NT/W2K/XP. I need to
implement
> UM GetProcAddress analog. It’s gonna be much easier though, for I need
only
> functions from ntoskrnl.exe.
>
> Is it true that ntoskrnl.exe is always loaded on the same address? If true
> what is it? Will I have problems accessing memory occupied by
ntoskrnl.exe?
> Does any one know if there is some sources publicly available? Or can
> someone give me some points on the subject?
>
> Thanks in advance.
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

As I said, it must be NT compatible. So, MmGetSystemRoutineAddress won’t
work.

Thanks anyway.

----- Original Message -----
From: “Gilson, Mike”
To: “NT Developers Interest List”
Sent: Tuesday, June 25, 2002 1:59 PM
Subject: [ntdev] RE: GetProcAddress analog

Win2k and above:

NTKERNELAPI
PVOID
MmGetSystemRoutineAddress (
IN PUNICODE_STRING SystemRoutineName
);

No equivalent on NT 4 that I know of.

-----Original Message-----
From: Alexey Logachyov [mailto:xxxxx@vba.com.by]
Sent: Tuesday, June 25, 2002 5:53 AM
To: NT Developers Interest List
Subject: [ntdev] GetProcAddress analog

I want my driver to be binary compatible with NT/W2K/XP. I need to
implement
UM GetProcAddress analog. It’s gonna be much easier though, for I need
only
functions from ntoskrnl.exe.

Is it true that ntoskrnl.exe is always loaded on the same address? If
true
what is it? Will I have problems accessing memory occupied by
ntoskrnl.exe?
Does any one know if there is some sources publicly available? Or can
someone give me some points on the subject?

Thanks in advance.

—
You are currently subscribed to ntdev as: xxxxx@nsisoftware.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@vba.com.by
To unsubscribe send a blank email to %%email.unsub%%

There is really no difficulties to find proc address knowing module base
address. There was only problem of how to find ntoskrnl base address. Now I
know. Thanks.

----- Original Message -----
From: “Dan Partelly”
To: “NT Developers Interest List”
Sent: Tuesday, June 25, 2002 2:59 PM
Subject: [ntdev] Re: GetProcAddress analog

> >> Is it true that ntoskrnl.exe is always loaded on the same address?
>
> No, it is not. For example, there can be Win2k+ systems where the user
space
> is 3Gb instead of 2.
>
> >> give me some points on the subject?
>
> You can use ZwQuerySystemInformation with system information set to
> SystemModuleInformation to get
> the base address of ntoskrnl.
>
> From here , all is trivial. Parse the PE header manualy to locate the
export
> directory, then parse the exports to find by name the routine which you
> want, and fetch its address. Youll need a PE image reference, use MS
> official one , its on WEB. You should not have any problems accessing the
> memory, providing you are corectly interpreting the PE structure tables.
> Anyway , you can always encapsulate your routine in try // except to
> catch exceptions.
>
>
> ----- Original Message -----
> From: “Alexey Logachyov”
> To: “NT Developers Interest List”
> Sent: Tuesday, June 25, 2002 1:52 PM
> Subject: [ntdev] GetProcAddress analog
>
>
> > I want my driver to be binary compatible with NT/W2K/XP. I need to
> implement
> > UM GetProcAddress analog. It’s gonna be much easier though, for I need
> only
> > functions from ntoskrnl.exe.
> >
> > Is it true that ntoskrnl.exe is always loaded on the same address? If
true
> > what is it? Will I have problems accessing memory occupied by
> ntoskrnl.exe?
> > Does any one know if there is some sources publicly available? Or can
> > someone give me some points on the subject?
> >
> > Thanks in advance.
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@vba.com.by
> To unsubscribe send a blank email to %%email.unsub%%
>

There is actually a much simpler function in the DDK for finding kernel and
hal routine addresses. Its called MmGetSystemRoutineAddress. The API is
there since WIN2K

NTKERNELAPI
PVOID
MmGetSystemRoutineAddress(
IN PUNICODE_STRING SystemRoutineName
);

–
Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and confers no rights.
“Alexey Logachyov” wrote in message news:xxxxx@ntdev…
>
> There is really no difficulties to find proc address knowing module base
> address. There was only problem of how to find ntoskrnl base address. Now
I
> know. Thanks.
>
> ----- Original Message -----
> From: “Dan Partelly”
> To: “NT Developers Interest List”
> Sent: Tuesday, June 25, 2002 2:59 PM
> Subject: [ntdev] Re: GetProcAddress analog
>
>
> > >> Is it true that ntoskrnl.exe is always loaded on the same address?
> >
> > No, it is not. For example, there can be Win2k+ systems where the user
> space
> > is 3Gb instead of 2.
> >
> > >> give me some points on the subject?
> >
> > You can use ZwQuerySystemInformation with system information set to
> > SystemModuleInformation to get
> > the base address of ntoskrnl.
> >
> > From here , all is trivial. Parse the PE header manualy to locate the
> export
> > directory, then parse the exports to find by name the routine which you
> > want, and fetch its address. Youll need a PE image reference, use MS
> > official one , its on WEB. You should not have any problems accessing
the
> > memory, providing you are corectly interpreting the PE structure tables.
> > Anyway , you can always encapsulate your routine in try // except to
> > catch exceptions.
> >
> >
> > ----- Original Message -----
> > From: “Alexey Logachyov”
> > To: “NT Developers Interest List”
> > Sent: Tuesday, June 25, 2002 1:52 PM
> > Subject: [ntdev] GetProcAddress analog
> >
> >
> > > I want my driver to be binary compatible with NT/W2K/XP. I need to
> > implement
> > > UM GetProcAddress analog. It’s gonna be much easier though, for I need
> > only
> > > functions from ntoskrnl.exe.
> > >
> > > Is it true that ntoskrnl.exe is always loaded on the same address? If
> true
> > > what is it? Will I have problems accessing memory occupied by
> > ntoskrnl.exe?
> > > Does any one know if there is some sources publicly available? Or can
> > > someone give me some points on the subject?
> > >
> > > Thanks in advance.
> > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@vba.com.by
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
>

MmGetSystemRoutineAddress for w2k and later.
Write your own PE parser for NT4. The base can be extracted by
ZwQuerySystemInformation.

Max

----- Original Message -----
From: “Alexey Logachyov”
To: “NT Developers Interest List”
Sent: Tuesday, June 25, 2002 2:52 PM
Subject: [ntdev] GetProcAddress analog

> I want my driver to be binary compatible with NT/W2K/XP. I need to
implement
> UM GetProcAddress analog. It’s gonna be much easier though, for I
need only
> functions from ntoskrnl.exe.
>
> Is it true that ntoskrnl.exe is always loaded on the same address?
If true
> what is it? Will I have problems accessing memory occupied by
ntoskrnl.exe?
> Does any one know if there is some sources publicly available? Or
can
> someone give me some points on the subject?
>
> Thanks in advance.
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>

The original poster request NT 4.0 compatibility. MmGetSystemRoutineAddress is NOT exported by Nt 4.0 kernels.
So its not usable in the context the poster asked for.

Reagrds, Dan

“Nar Ganapathy [MS]” wrote in message news:LYRIS-7403-59220-2002.06.25-13.45.29–dan_partelly#xxxxx@lists.osr.com…
> There is actually a much simpler function in the DDK for finding kernel and
> hal routine addresses. Its called MmGetSystemRoutineAddress. The API is
> there since WIN2K
>
> NTKERNELAPI
> PVOID
> MmGetSystemRoutineAddress(
> IN PUNICODE_STRING SystemRoutineName
> );
>
>
> –
> Nar Ganapathy
> Windows Core OS group
> This posting is provided “AS IS” with no warranties, and confers no rights.
> “Alexey Logachyov” wrote in message news:xxxxx@ntdev…
> >
> > There is really no difficulties to find proc address knowing module base
> > address. There was only problem of how to find ntoskrnl base address. Now
> I
> > know. Thanks.
> >
> > ----- Original Message -----
> > From: “Dan Partelly”
> > To: “NT Developers Interest List”
> > Sent: Tuesday, June 25, 2002 2:59 PM
> > Subject: [ntdev] Re: GetProcAddress analog
> >
> >
> > > >> Is it true that ntoskrnl.exe is always loaded on the same address?
> > >
> > > No, it is not. For example, there can be Win2k+ systems where the user
> > space
> > > is 3Gb instead of 2.
> > >
> > > >> give me some points on the subject?
> > >
> > > You can use ZwQuerySystemInformation with system information set to
> > > SystemModuleInformation to get
> > > the base address of ntoskrnl.
> > >
> > > From here , all is trivial. Parse the PE header manualy to locate the
> > export
> > > directory, then parse the exports to find by name the routine which you
> > > want, and fetch its address. Youll need a PE image reference, use MS
> > > official one , its on WEB. You should not have any problems accessing
> the
> > > memory, providing you are corectly interpreting the PE structure tables.
> > > Anyway , you can always encapsulate your routine in try // except to
> > > catch exceptions.
> > >
> > >
> > > ----- Original Message -----
> > > From: “Alexey Logachyov”
> > > To: “NT Developers Interest List”
> > > Sent: Tuesday, June 25, 2002 1:52 PM
> > > Subject: [ntdev] GetProcAddress analog
> > >
> > >
> > > > I want my driver to be binary compatible with NT/W2K/XP. I need to
> > > implement
> > > > UM GetProcAddress analog. It’s gonna be much easier though, for I need
> > > only
> > > > functions from ntoskrnl.exe.
> > > >
> > > > Is it true that ntoskrnl.exe is always loaded on the same address? If
> > true
> > > > what is it? Will I have problems accessing memory occupied by
> > > ntoskrnl.exe?
> > > > Does any one know if there is some sources publicly available? Or can
> > > > someone give me some points on the subject?
> > > >
> > > > Thanks in advance.
> > > >
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > > > To unsubscribe send a blank email to %%email.unsub%%
> > > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@vba.com.by
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

Yes. I realized it soon after I posted the reply.

–
Nar Ganapathy
Windows Core OS group
This posting is provided “AS IS” with no warranties, and confers no rights.
“Dan Partelly” wrote in message news:xxxxx@ntdev…
The original poster request NT 4.0 compatibility. MmGetSystemRoutineAddress is NOT exported by Nt 4.0 kernels.
So its not usable in the context the poster asked for.

Reagrds, Dan

“Nar Ganapathy [MS]” wrote in message news:LYRIS-7403-59220-2002.06.25-13.45.29–dan_partelly#xxxxx@lists.osr.com…
> There is actually a much simpler function in the DDK for finding kernel and
> hal routine addresses. Its called MmGetSystemRoutineAddress. The API is
> there since WIN2K
>
> NTKERNELAPI
> PVOID
> MmGetSystemRoutineAddress(
> IN PUNICODE_STRING SystemRoutineName
> );
>
>
> –
> Nar Ganapathy
> Windows Core OS group
> This posting is provided “AS IS” with no warranties, and confers no rights.
> “Alexey Logachyov” wrote in message news:xxxxx@ntdev…
> >
> > There is really no difficulties to find proc address knowing module base
> > address. There was only problem of how to find ntoskrnl base address. Now
> I
> > know. Thanks.
> >
> > ----- Original Message -----
> > From: “Dan Partelly”
> > To: “NT Developers Interest List”
> > Sent: Tuesday, June 25, 2002 2:59 PM
> > Subject: [ntdev] Re: GetProcAddress analog
> >
> >
> > > >> Is it true that ntoskrnl.exe is always loaded on the same address?
> > >
> > > No, it is not. For example, there can be Win2k+ systems where the user
> > space
> > > is 3Gb instead of 2.
> > >
> > > >> give me some points on the subject?
> > >
> > > You can use ZwQuerySystemInformation with system information set to
> > > SystemModuleInformation to get
> > > the base address of ntoskrnl.
> > >
> > > From here , all is trivial. Parse the PE header manualy to locate the
> > export
> > > directory, then parse the exports to find by name the routine which you
> > > want, and fetch its address. Youll need a PE image reference, use MS
> > > official one , its on WEB. You should not have any problems accessing
> the
> > > memory, providing you are corectly interpreting the PE structure tables.
> > > Anyway , you can always encapsulate your routine in try // except to
> > > catch exceptions.
> > >
> > >
> > > ----- Original Message -----
> > > From: “Alexey Logachyov”
> > > To: “NT Developers Interest List”
> > > Sent: Tuesday, June 25, 2002 1:52 PM
> > > Subject: [ntdev] GetProcAddress analog
> > >
> > >
> > > > I want my driver to be binary compatible with NT/W2K/XP. I need to
> > > implement
> > > > UM GetProcAddress analog. It’s gonna be much easier though, for I need
> > > only
> > > > functions from ntoskrnl.exe.
> > > >
> > > > Is it true that ntoskrnl.exe is always loaded on the same address? If
> > true
> > > > what is it? Will I have problems accessing memory occupied by
> > > ntoskrnl.exe?
> > > > Does any one know if there is some sources publicly available? Or can
> > > > someone give me some points on the subject?
> > > >
> > > > Thanks in advance.
> > > >
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > > > To unsubscribe send a blank email to %%email.unsub%%
> > > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@vba.com.by
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

Where is ZwQuerySystemInformation/SystemModuleInformation defined. I can’t
find it W2K IFS Kit nor WinXP DDK.

You can use ZwQuerySystemInformation with system information set to
SystemModuleInformation to get
the base address of ntoskrnl.

This system call is not officially documented by MS (as many others native
API calls). Here is all required info to make a call:

//
// System Information Classes.
//

typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemUnused1,
SystemPerformanceTraceInformation,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemUnused3,
SystemUnused4,
SystemUnused5,
SystemUnused6,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation

} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_MODULE_INFORMATION {//Information Class 11
ULONG Reserved [2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName [256];
}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation (
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);

BR,
Vadim
http://www.ntndis.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Alexey Logachyov
Sent: Monday, July 01, 2002 4:08 PM
To: NT Developers Interest List
Subject: [ntdev] Re: GetProcAddress analog

Where is ZwQuerySystemInformation/SystemModuleInformation defined. I can’t
find it W2K IFS Kit nor WinXP DDK.

You can use ZwQuerySystemInformation with system information set to
SystemModuleInformation to get
the base address of ntoskrnl.

You are currently subscribed to ntdev as: xxxxx@pcausa.com
To unsubscribe send a blank email to %%email.unsub%%

If it is not officially documented how people find it?

----- Original Message -----
From: “Vadim Smirnov”
To: “NT Developers Interest List”
Sent: Monday, July 01, 2002 3:48 PM
Subject: [ntdev] Re: GetProcAddress analog

> This system call is not officially documented by MS (as many others native
> API calls). Here is all required info to make a call:
>
> //
> // System Information Classes.
> //
>
> typedef enum _SYSTEM_INFORMATION_CLASS {
> SystemBasicInformation,
> SystemProcessorInformation,
> SystemPerformanceInformation,
> SystemTimeOfDayInformation,
> SystemPathInformation,
> SystemProcessInformation,
> SystemCallCountInformation,
> SystemDeviceInformation,
> SystemProcessorPerformanceInformation,
> SystemFlagsInformation,
> SystemCallTimeInformation,
> SystemModuleInformation,
> SystemLocksInformation,
> SystemStackTraceInformation,
> SystemPagedPoolInformation,
> SystemNonPagedPoolInformation,
> SystemHandleInformation,
> SystemObjectInformation,
> SystemPageFileInformation,
> SystemVdmInstemulInformation,
> SystemVdmBopInformation,
> SystemFileCacheInformation,
> SystemPoolTagInformation,
> SystemInterruptInformation,
> SystemDpcBehaviorInformation,
> SystemFullMemoryInformation,
> SystemLoadGdiDriverInformation,
> SystemUnloadGdiDriverInformation,
> SystemTimeAdjustmentInformation,
> SystemSummaryMemoryInformation,
> SystemUnused1,
> SystemPerformanceTraceInformation,
> SystemCrashDumpInformation,
> SystemExceptionInformation,
> SystemCrashDumpStateInformation,
> SystemKernelDebuggerInformation,
> SystemContextSwitchInformation,
> SystemRegistryQuotaInformation,
> SystemExtendServiceTableInformation,
> SystemPrioritySeperation,
> SystemUnused3,
> SystemUnused4,
> SystemUnused5,
> SystemUnused6,
> SystemCurrentTimeZoneInformation,
> SystemLookasideInformation,
> SystemTimeSlipNotification,
> SystemSessionCreate,
> SystemSessionDetach,
> SystemSessionInformation
>
> } SYSTEM_INFORMATION_CLASS;
>
> typedef struct _SYSTEM_MODULE_INFORMATION {//Information Class 11
> ULONG Reserved [2];
> PVOID Base;
> ULONG Size;
> ULONG Flags;
> USHORT Index;
> USHORT Unknown;
> USHORT LoadCount;
> USHORT ModuleNameOffset;
> CHAR ImageName [256];
> }SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;
>
> NTSYSAPI
> NTSTATUS
> NTAPI
> ZwQuerySystemInformation (
> IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
> OUT PVOID SystemInformation,
> IN ULONG SystemInformationLength,
> OUT PULONG ReturnLength OPTIONAL
> );
>
> BR,
> Vadim
> http://www.ntndis.com
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Alexey Logachyov
> Sent: Monday, July 01, 2002 4:08 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: GetProcAddress analog
>
>
> Where is ZwQuerySystemInformation/SystemModuleInformation defined. I can’t
> find it W2K IFS Kit nor WinXP DDK.
>
> > You can use ZwQuerySystemInformation with system information set to
> > SystemModuleInformation to get
> > the base address of ntoskrnl.
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@pcausa.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@vba.com.by
> To unsubscribe send a blank email to %%email.unsub%%
>

> If it is not officially documented how people find it?

Seems that some ppl are damn curious about some things … , no ? So they
dig whatever they can, using every bit of information they can find in NT
symbols, from debuggers, dissasamblers, friends, books.

Its really not so hard.

----- Original Message -----
From: “Alexey Logachyov”
To: “NT Developers Interest List”
Sent: Monday, July 01, 2002 4:55 PM
Subject: [ntdev] Re: GetProcAddress analog

> If it is not officially documented how people find it?
>
> ----- Original Message -----
> From: “Vadim Smirnov”
> To: “NT Developers Interest List”
> Sent: Monday, July 01, 2002 3:48 PM
> Subject: [ntdev] Re: GetProcAddress analog
>
>
> > This system call is not officially documented by MS (as many others
native
> > API calls). Here is all required info to make a call:
> >
> > //
> > // System Information Classes.
> > //
> >
> > typedef enum _SYSTEM_INFORMATION_CLASS {
> > SystemBasicInformation,
> > SystemProcessorInformation,
> > SystemPerformanceInformation,
> > SystemTimeOfDayInformation,
> > SystemPathInformation,
> > SystemProcessInformation,
> > SystemCallCountInformation,
> > SystemDeviceInformation,
> > SystemProcessorPerformanceInformation,
> > SystemFlagsInformation,
> > SystemCallTimeInformation,
> > SystemModuleInformation,
> > SystemLocksInformation,
> > SystemStackTraceInformation,
> > SystemPagedPoolInformation,
> > SystemNonPagedPoolInformation,
> > SystemHandleInformation,
> > SystemObjectInformation,
> > SystemPageFileInformation,
> > SystemVdmInstemulInformation,
> > SystemVdmBopInformation,
> > SystemFileCacheInformation,
> > SystemPoolTagInformation,
> > SystemInterruptInformation,
> > SystemDpcBehaviorInformation,
> > SystemFullMemoryInformation,
> > SystemLoadGdiDriverInformation,
> > SystemUnloadGdiDriverInformation,
> > SystemTimeAdjustmentInformation,
> > SystemSummaryMemoryInformation,
> > SystemUnused1,
> > SystemPerformanceTraceInformation,
> > SystemCrashDumpInformation,
> > SystemExceptionInformation,
> > SystemCrashDumpStateInformation,
> > SystemKernelDebuggerInformation,
> > SystemContextSwitchInformation,
> > SystemRegistryQuotaInformation,
> > SystemExtendServiceTableInformation,
> > SystemPrioritySeperation,
> > SystemUnused3,
> > SystemUnused4,
> > SystemUnused5,
> > SystemUnused6,
> > SystemCurrentTimeZoneInformation,
> > SystemLookasideInformation,
> > SystemTimeSlipNotification,
> > SystemSessionCreate,
> > SystemSessionDetach,
> > SystemSessionInformation
> >
> > } SYSTEM_INFORMATION_CLASS;
> >
> > typedef struct _SYSTEM_MODULE_INFORMATION {//Information Class 11
> > ULONG Reserved [2];
> > PVOID Base;
> > ULONG Size;
> > ULONG Flags;
> > USHORT Index;
> > USHORT Unknown;
> > USHORT LoadCount;
> > USHORT ModuleNameOffset;
> > CHAR ImageName [256];
> > }SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;
> >
> > NTSYSAPI
> > NTSTATUS
> > NTAPI
> > ZwQuerySystemInformation (
> > IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
> > OUT PVOID SystemInformation,
> > IN ULONG SystemInformationLength,
> > OUT PULONG ReturnLength OPTIONAL
> > );
> >
> > BR,
> > Vadim
> > http://www.ntndis.com
> >
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Alexey Logachyov
> > Sent: Monday, July 01, 2002 4:08 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: GetProcAddress analog
> >
> >
> > Where is ZwQuerySystemInformation/SystemModuleInformation defined. I
can’t
> > find it W2K IFS Kit nor WinXP DDK.
> >
> > > You can use ZwQuerySystemInformation with system information set to
> > > SystemModuleInformation to get
> > > the base address of ntoskrnl.
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@pcausa.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@vba.com.by
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>