As per a previous email about patching the windows kernel, the method I
am copying from uses raw addresses (eg 80a4b1cd) (exact kernel versions
are checked before applying of course). If the kernel is loaded at a
different address though, problems may arise, so I want to come up with
something a little more foolproof.
I ran all the to-be-patched addresses through the debugger and it came
up with symbol+offset values for all of them, and most of the symbols
are retrievable via MmGetSystemRoutineAddress but a few of them are not,
specifically:
HalpDispatchInterrupt
HalpApcInterrupt
HalpInitializeLocalUnit
Taking a stab in the dark, I imagine that the ‘p’ stands for ‘private’,
and that these symbol names only exist because of the debugger symbol
mappings. MmGetSystemRoutineAddress returns NULL for these (and I
believe there is a bug in older versions of Windows where
MmGetSystemRoutineAddress on a bad symbol causes bad things to happen?)
My fallback is to just make these as offsets to an earlier symbol (in
terms of kernel address space) that does map via
MmGetSystemRoutineAddress - any better suggestions?
James