On Jul 11, 2015, at 10:01 AM, Valery Druba wrote:
>
> I need get pase address of ntdll.dll.
Why?
> For Windows 7 and lower I used
> ZwQuerySystemInformation. But under Windows 8 ntdll.dll is invisible
> for this function.
> I have implemented another algorithm using ZwQuerySection. It correct
> works on Windows 7, but it returns bad address for Windows 8. The
> address defers from real base address on constant 0x30670.
>
> Could anybody explain what is the problem ?
The problem, of course, is that you are attempting to rely on undocumented implementation details. You can find entry points in ntdll.dll by linking with them, although that won’t help you find its PE headers.
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.