How to get the symbol address of a loaded driver

NTDEV
1

1: kd> x Abcd!D*
fffff88007265c50 Abcd!DriverEntry$filt$0 (void) fffff88007265840 Abcd!DriverOpen$filt$1 (void)
fffff880`07264e80 Abcd!DeviceControl$filt$0 (void)

My driver Abcd is loaded I break in the debugger and examine symbols as shown above. Question is how can I get the above symbol address from within the loaded driver programatically?

Ex: Assume there is call called GetSymbolAdd(Abcd!DriverOpen), that should return fffff880`07265840

Thanks

2

xxxxx@gmail.com wrote:

1: kd> x Abcd!D*
fffff88007265c50 Abcd!DriverEntry$filt$0 (void) fffff88007265840 Abcd!DriverOpen$filt$1 (void)
fffff880`07264e80 Abcd!DeviceControl$filt$0 (void)

My driver Abcd is loaded I break in the debugger and examine symbols as shown above. Question is how can I get the above symbol address from within the loaded driver programatically?

Ex: Assume there is call called GetSymbolAdd(Abcd!DriverOpen), that should return fffff880`07265840

You don’t really mean from inside the Abcd driver, do you? Because
within Abcd, you would say

void * addressOfDriverOpen = &DriverOpen;

From other drivers, there is no reasonable way to do this. WinDbg uses
user-mode services that read the driver and its symbol file to match up
the symbols.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3

You do not need a call, you can take the address of any function in a
driver, like any other C program. So:

KdPrint(( “DriverOpen address = %p\n”, DriverOpen ));

Will print the address.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@gmail.com [mailto:xxxxx@gmail.com]
Posted At: Thursday, July 01, 2010 8:46 PM
Posted To: ntdev
Conversation: How to get the symbol address of a loaded driver
Subject: How to get the symbol address of a loaded driver

1: kd> x Abcd!D*
fffff88007265c50 Abcd!DriverEntry$filt$0 (void) fffff88007265840
Abcd!DriverOpen$filt$1 (void) fffff880`07264e80
Abcd!DeviceControl$filt$0
(void)

My driver Abcd is loaded I break in the debugger and examine symbols
as shown
above. Question is how can I get the above symbol address from within
the
loaded driver programatically?

Ex: Assume there is call called GetSymbolAdd(Abcd!DriverOpen), that
should
return fffff880`07265840

Thanks

__________ Information from ESET Smart Security, version of virus
signature
database 5244 (20100701) __________

The message was checked by ESET Smart Security.

http://www.eset.com

4

PVOID ptr = (PVOID) DriverOpen;

Or were you asking something else?

Mark Roddy

On Thu, Jul 1, 2010 at 8:46 PM, wrote:

> 1: kd> x Abcd!D*
> fffff88007265c50 Abcd!DriverEntry$filt$0 (void)<br>&gt; fffff88007265840 Abcd!DriverOpen$filt$1 (void)
> fffff88007264e80 Abcd!DeviceControl$filt$0 (void)<br>&gt;<br>&gt; My driver Abcd is loaded I break in the debugger and examine symbols as<br>&gt; shown above. Question is how can I get the above symbol address from within<br>&gt; the loaded driver programatically?<br>&gt;<br>&gt; Ex: Assume there is call called GetSymbolAdd(Abcd!DriverOpen), that should<br>&gt; return fffff88007265840
>
> Thanks
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

5

Sorry for the dumb question but that indeed was my question and between the two of you have answered my question. Thanks a lot. Please close the case

6

you can:

  • enumerate loaded modules and figure out where they are, including Abcd;
    then give it to your usermode app/service and load the symbols
  • send an ioctl to Abcd’s control device that Abcd will reply to in a way
    Tim ROberts suggested

Are you intending to patch Abcd’s code at runtime? If so, you’re on the dark
side now…

S.V.

wrote in message news:xxxxx@ntdev…
> 1: kd> x Abcd!D*
> fffff88007265c50 Abcd!DriverEntry$filt$0 (void)<br>&gt; fffff88007265840 Abcd!DriverOpen$filt$1 (void)
> fffff88007264e80 Abcd!DeviceControl$filt$0 (void)<br>&gt;<br>&gt; My driver Abcd is loaded I break in the debugger and examine symbols as <br>&gt; shown above. Question is how can I get the above symbol address from <br>&gt; within the loaded driver programatically?<br>&gt;<br>&gt; Ex: Assume there is call called GetSymbolAdd(Abcd!DriverOpen), that should <br>&gt; return fffff88007265840
>
> Thanks
>