Kernel Level PE file access API

OSR_Community_User · February 14, 2006, 11:13am

Hi There,
There seems to be a conspicuous absence of any PE
access functions, such as traversing the various
directories in PE headers and section directories.
Does such an API exist, published or otherwise?
Presumably the latter must exist for the loader
function.
Cheers
Dave

Find your next car at http://autos.yahoo.ca

Dan_Partelly · February 14, 2006, 11:18am

It exists, but is not documented. Check your RtlXxxxXxxx exports from
ntoskrnl.exe

Dan

----- Original Message -----
From: “Dave B. Sharp”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, February 14, 2006 6:12 PM
Subject: [ntfsd] Kernel Level PE file access API

> Hi There,
> There seems to be a conspicuous absence of any PE
> access functions, such as traversing the various
> directories in PE headers and section directories.
> Does such an API exist, published or otherwise?
> Presumably the latter must exist for the loader
> function.
> Cheers
> Dave
>
>
>
>
>
>
> __________________________________________________________
> Find your next car at http://autos.yahoo.ca
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 14, 2006, 2:43pm

Thanx Dan,
I opened ntoskrnl.exe in IDA_Pro and there was
nothing that jumped out at me. Could I bother you for
an example call? I can take it from there.
Cheers
Dave

— Dan Partelly wrote:

> It exists, but is not documented. Check your
> RtlXxxxXxxx exports from
> ntoskrnl.exe
>
> Dan
>
> ----- Original Message -----
> From: “Dave B. Sharp”
> To: “Windows File Systems Devs Interest List”
>
> Sent: Tuesday, February 14, 2006 6:12 PM
> Subject: [ntfsd] Kernel Level PE file access API
>
>
> > Hi There,
> > There seems to be a conspicuous absence of any
> PE
> > access functions, such as traversing the various
> > directories in PE headers and section directories.
> > Does such an API exist, published or otherwise?
> > Presumably the latter must exist for the loader
> > function.
> > Cheers
> > Dave
> >
> >
> >
> >
> >
> >
> >
>
________
> > Find your next car at http://autos.yahoo.ca
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as:
> xxxxx@rdsor.ro
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.ca
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

OSR_Community_User · February 14, 2006, 3:05pm

The two that I’m aware of are RtlImageNtHeader and RtlImageRvaToVa:

RtlImageNtHeader(PVOID ModuleBase):

RtlImageRvaToVa(PIMAGE_NT_HEADERS NTHeaders, PVOID ModuleBase, ULONG
RVA, PIMAGE_SECTION_HEADER Ptr_LastSection):

>> xxxxx@yahoo.ca 2006-02-14 14:42 >>>
Thanx Dan,
I opened ntoskrnl.exe in IDA_Pro and there was
nothing that jumped out at me. Could I bother you for
an example call? I can take it from there.
Cheers
Dave

— Dan Partelly wrote:

> It exists, but is not documented. Check your
> RtlXxxxXxxx exports from
> ntoskrnl.exe
>
> Dan
>
> ----- Original Message -----
> From: “Dave B. Sharp”
> To: “Windows File Systems Devs Interest List”
>
> Sent: Tuesday, February 14, 2006 6:12 PM
> Subject: [ntfsd] Kernel Level PE file access API
>
>
> > Hi There,
> > There seems to be a conspicuous absence of any
> PE
> > access functions, such as traversing the various
> > directories in PE headers and section directories.
> > Does such an API exist, published or otherwise?
> > Presumably the latter must exist for the loader
> > function.
> > Cheers
> > Dave
> >
> >
> >
> >
> >
> >
> >
>
________
> > Find your next car at http://autos.yahoo.ca
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as:
> xxxxx@rdsor.ro
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.ca
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 14, 2006, 9:10pm

No, write ones yourself. I believe the PE header structures are somewhere
in WINNT.H or such.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Dave B. Sharp”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, February 14, 2006 7:12 PM
Subject: [ntfsd] Kernel Level PE file access API

> Hi There,
> There seems to be a conspicuous absence of any PE
> access functions, such as traversing the various
> directories in PE headers and section directories.
> Does such an API exist, published or otherwise?
> Presumably the latter must exist for the loader
> function.
> Cheers
> Dave
>
>
>
>
>
>
> __________________________________________________________
> Find your next car at http://autos.yahoo.ca
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 14, 2006, 11:42pm

> There seems to be a conspicuous absence of any PE

access functions, such as traversing the various
directories in PE headers and section directories.
You may look at tools from http://www.smidgeonsoft.com/.
No source though…

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, February 14, 2006 9:09 PM
Subject: Re: [ntfsd] Kernel Level PE file access API

> No, write ones yourself. I believe the PE header structures are
> somewhere
> in WINNT.H or such.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Dave B. Sharp”
> To: “Windows File Systems Devs Interest List”
> Sent: Tuesday, February 14, 2006 7:12 PM
> Subject: [ntfsd] Kernel Level PE file access API
>
>
>> Hi There,
>> There seems to be a conspicuous absence of any PE
>> access functions, such as traversing the various
>> directories in PE headers and section directories.
>> Does such an API exist, published or otherwise?
>> Presumably the latter must exist for the loader
>> function.
>> Cheers
>> Dave
>>
>>
>>
>>
>>
>>
>> __________________________________________________________
>> Find your next car at http://autos.yahoo.ca
>>
>>
>> —
>> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@bellsouth.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>