| View previous topic :: View next topic |
| Author |
Message |
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
 Posted: Sun Jan 18, 2009 9:30 am Post subject: [Dimwitted Question] Retrieve The Offset of a function |
 |
|
This probably sounds stupid but...
what is the function that you use to find out the offset from an export like ntoskrnl.exe
or
How do you find the base of ntoskrnl.exe in kernel memory?
And ntoskrnl.exe is structured in the same way as a dll right (I mean function wise in usermode)?
Edit: Im basically trying to find the Kernel Equivalent of GetProcAddress()
|
|
| Back to top |
|
 |
sphere90
Grandmaster Cheater
 Reputation: 0
Joined: 24 Jun 2006
Posts: 912
|
| Posted: Sun Jan 18, 2009 9:50 am Post subject: Re: [Dimwitted Question] Retrieve The Offset of a function |
|
|
| dnsi0 wrote: | | Edit: Im basically trying to find the Kernel Equivalent of GetProcAddress() |
MmGetSystemRoutineAddress.
_________________
Give a hungry man a fish and he'll be full for a day. Teach a hungry man how to fish and he'll be full for the rest of his life. |
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sun Jan 18, 2009 10:02 am Post subject: |
|
|
| Yea I just found that on msdn but I want to find the base of ntoskrnl.exe and its exported functions.
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
 Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Sun Jan 18, 2009 11:22 am Post subject: |
|
|
Get the kernel base, find your function, subtract the functions address from the base, and voila, you have an virtual address offset.
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sun Jan 18, 2009 1:15 pm Post subject: |
|
|
| I get this... >.< But what is the base of ntoskrnl.exe? cant possibly be 0x80000000...
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Sun Jan 18, 2009 3:39 pm Post subject: |
|
|
Use ZwQuerySystemInformation with SystemModuleInformation being the first param.
Heres a function i found: (http://securityvulns.ru/files/ms06-049.c)
| Code: | ULONG GetKernelBase()
{
ULONG i, Byte, ModuleCount;
PVOID pBuffer;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
PCHAR pName;
ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
if((pBuffer = malloc(Byte)) == NULL)
ErrorQuit("malloc failed.\n");
if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
ErrorQuit("ZwQuerySystemInformation failed\n");
ModuleCount = *(PULONG)pBuffer;
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
for(i = 0; i < ModuleCount; i++)
{
if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
{
free(pBuffer);
return (ULONG)pSystemModuleInformation->Base;
}
pSystemModuleInformation++;
}
free(pBuffer);
return 0;
} |
_________________
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Sun Jan 18, 2009 4:39 pm Post subject: |
|
|
and how big is it? O.o
and is it also in the return?
Edit:
return (ULONG)pSystemModuleInformation->ImageSize;
this works right?
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Sun Jan 18, 2009 5:55 pm Post subject: |
|
|
yes what lurc Provided returns the Kernel Base address
one could also Load Ntoskrnl(LoadLibraryEx or MemoryMap It)and use GetProcAddress or A manual Parsing of Exports to get Desired function..
Then subtract the Loaded Base(Mapped or otherwise) from resulting address and add the Real Kernel BaseAddress to get the the desired routine... now this is just from user mode..
from kernel mode you could just directly parse the EAT of ntoskrnl(or its counter-parts...)
regards BanMe
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Sun Jan 18, 2009 7:39 pm Post subject: |
|
|
Well if your using this definition of SYSTEM_MODULE_INFORMATION:
| Code: | typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknow;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; |
then it'l be Size. Note that this struct is at +4 of the buffer returned, actual struct looks like this: Where the SYSTEM_MODULE struct is the one above.
| Code: | typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG ModulesCount;
SYSTEM_MODULE Modules[0];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; |
_________________
|
|
| Back to top |
|
|
FerrisBuellerYourMyHero
Master Cheater
 Reputation: 0
Joined: 14 Feb 2007
Posts: 401
Location: Inside your <kernel>
|
| Posted: Mon Jan 19, 2009 12:11 am Post subject: |
|
|
lurc's code is about right! And yea that confused me for a sec too while I was figuring it out. The SYSTEM_MODULE_INFORMATION structure defined in ntifs.h seems to be improperly named.
Anyway I just decided to leave it and created as structure called SYSTEM_MODULE_INFORMATION2
which is the same as lurcs pretty much:
| Code: |
typedef struct _SYSTEM_MODULE_INFORMATION_2
{
ULONG Count;
SYSTEM_MODULE_INFORMATION Module[1];
} SYSTEM_MODULE_INFORMATION2, *PSYSTEM_MODULE_INFORMATION2;
|
You should note though, that for me ntoskrnl.exe does not come up on the modules list, and instead its called ntkrnlpa.exe! Why? Well I now know that ntkrnlpa.exe provides support for PAE! while ntoskrnl.exe does not. So if you want it to be compatible with all systems you might ever run it on you should check for both "ntoskrnl.exe" and "ntkrnlpa.exe"
And yes you can also get the size of the kernel from there too.. Its not called "ModuleSize" though if your using the struct from ntifs.h, its just called "Size"
Hey lurc is it safe to use usermode functions in kernel mode though? like strstr? I've always thought its a bad thing to use user mode functions in kernel mode! Is that the wrong idea?
Or are they linked to kernel mode functions? For instance I think memcpy might be a shortcut to RtlCopyMemory if your coding a driver... I could be wrong though.
_________________
You know, life moves pretty fast. If you don't stop and look around once in a while, You could miss it!
 |
|
| Back to top |
|
|
smartz993
I post too much
 Reputation: 2
Joined: 20 Jun 2006
Posts: 2013
Location: USA
|
| Posted: Mon Jan 19, 2009 12:33 am Post subject: |
|
|
| FerrisBuellerYourMyHero wrote: | | Or are they linked to kernel mode functions? For instance I think memcpy might be a shortcut to RtlCopyMemory if your coding a driver... I could be wrong though. |
If you trace far enough, you'll see that all usermode functions go back to kernelmode..
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Tue Jan 20, 2009 7:16 pm Post subject: |
|
|
not all just the vast majority  (no offense smartz) 
GetCurrentProcess();
GetCurrentProcessId();
GetCurrentThread();
GetCurrentThreadId();
DebugBreak();
just to name a few that dont go to kernelmode
also ntoskrnl ntoskrnlpa and ntoskrnlmpa
are the three kernels that i know of maybe there are more...
|
|
| Back to top |
|
|
lurc
Grandmaster Cheater Supreme
Reputation: 2
Joined: 13 Nov 2006
Posts: 1900
|
| Posted: Tue Jan 20, 2009 10:49 pm Post subject: |
|
|
| FerrisBuellerYourMyHero wrote: | Hey lurc is it safe to use usermode functions in kernel mode though? like strstr? I've always thought its a bad thing to use user mode functions in kernel mode! Is that the wrong idea?
Or are they linked to kernel mode functions? For instance I think memcpy might be a shortcut to RtlCopyMemory if your coding a driver... I could be wrong though. |
Yea, As far as I know and have tested it's safe to use CRT functions like strstr, strcmp, memcpy, memset, etc. all in the kernel. RtlCopyMemory is just a definition to memcpy btw.
As far as the functions go, GetCurrentProcess/GetCurrentThread just return -1, GetCurrentProcessId and GetCurrentThreadId just access the FS segment to get that data.
I don't even know wtf DebugBreak does.. looked at it, just jumps to DebugBreakPoint, and then that jumps to the IAT... and boom, gone.
_________________
|
|
| Back to top |
|
|
BanMe
Master Cheater
![]() Reputation: 0
Joined: 29 Nov 2005
Posts: 375
Location: Farmington NH, USA
|
| Posted: Wed Jan 21, 2009 9:47 pm Post subject: |
|
|
No you cannot use CRT functions in kernel!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
all the functions you mentioned i noticed where ntdll functions.
(so maybe you are more sly then i think).
drivers can only use functions exported by the kernel(which is also exported (coincedently) from ntdll)..
the reason it went TO IAT is that you must've imported the function from ntdll. which the IAT is just a jmp table.. so.. in DebugBreaks Code a int3 is excuted(0xcc) (a breakpoint) and if your in olly in doesnt go so well, if certain options arent set.
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Thu Jan 22, 2009 8:05 pm Post subject: |
|
|
| lurc wrote: | Use ZwQuerySystemInformation with SystemModuleInformation being the first param.
Heres a function i found: (http://securityvulns.ru/files/ms06-049.c)
| Code: | ULONG GetKernelBase()
{
ULONG i, Byte, ModuleCount;
PVOID pBuffer;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
PCHAR pName;
ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
if((pBuffer = malloc(Byte)) == NULL)
ErrorQuit("malloc failed.\n");
if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
ErrorQuit("ZwQuerySystemInformation failed\n");
ModuleCount = *(PULONG)pBuffer;
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
for(i = 0; i < ModuleCount; i++)
{
if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
{
free(pBuffer);
return (ULONG)pSystemModuleInformation->Base;
}
pSystemModuleInformation++;
}
free(pBuffer);
return 0;
} |
|
this doesn't work. Maybe becuase its usermode code.
I found that the base is 0x80400000
Is this address static? and what is the size T.T
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
