How do I get the address to kernel modules nt and win32k?
https://stackoverflow.com//questions/10690330
-
12-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I need to know the base addresses where nt and win32k are loaded. I can find out this information by booting the system with kernel debugging enabled, start a kernel debug session, and run the command lm to get a list of the loaded modules.
What I want to do is programmatically determine where these two modules are loaded without booting into debug mode and using the kernel debugger. I need the base addresses for resolving syscalls in an Event Tracing for Windows log file.
The system I am working on is running Windows Server 2008 R2.
Solution
The list of loaded kernel modules and base addresses (including ntoskrnl) is stored in the list pointed by PsLoadedModulesList symbol.
Or use ZwQuerySystemInformation(SystemModuleInformation) instead.
For detailed information see http://alter.org.ua/docs/nt_kernel/procaddr/
