Usually, I’m one of the people who beat the drum about “compromised system = game over”. Unfortunately, there really is no reliable way to do this, and lots of people have pointed out why. But that’s not terribly helpful, if you’ve already decided to go down this path.
The best approach (to an awful problem) is probably to carry a table of known addresses of NtEnumerateKey in your component. You can probably search the PE/COFF headers of the in-memory image of NTOSKRNL.EXE and find the timestamp field, and use that as a key in your table. You’ll need to update your code every time a new version of the kernel is released, but frankly that is easier than all of the other approaches. It isn’t general, but it’s easy and reliable. In fact, you’ll probably need a table that maps (kernel-timestamp, system-service-index) -> address. You could even sample the first 32 bytes or so of each function’s implementation, store that in your table, and verify that the bytes match in the running kernel, to reduce the chance of getting it wrong. The PE/COFF module timestamps are the key though – declared version numbers are unreliable, but these timestamps are reliable.
You’ll have to be very careful about making sure that you’re using the timestamp field correctly, that you pulled it from the right location, and that the kernel was loaded at the same virtual address range that you expected. This is all horrible stuff for a driver or other system component, but since you’re *already* starting with a tainted kernel, hey, you can only go up, right?
Disclaimer: I do NOT endorse this approach, or make any promises about its safety, blah blah blah, and my employer certainly does not, either. I’m just pointing out what may be a viable approach. If you use this, you use it at your own risk.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Wednesday, May 02, 2007 6:06 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to get address of NtEnumerateKey?
Hi All,
I am enumerating the keys in my kernel module, but I am failing because other driver already hooks NtEnumerateKey in SSDT.
In order to enumerate keys I want to restore the address of NtEnumerateKey in SSDT. So please tell me how I can get the original address of NtEnumerateKey in NtOsKrnl.Exe as the function is not exported?
I found that this address is different for different OS. And I don’t want to hardcode the addresses. Is their any way to find address programmatically?
Thanks & Regards,
Amit.
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer