Reputation: 340
How do I get the address to kernel modules nt and win32k?
I need to know the base addresses where nt and win32k are loaded. I can find out this information by booting the system with kernel debugging enabled, start a kernel debug session, and run the command lm to get a list of the loaded modules.
What I want to do is programmatically determine where these two modules are loaded without booting into debug mode and using the kernel debugger. I need the base addresses for resolving syscalls in an Event Tracing for Windows log file.
The system I am working on is running Windows Server 2008 R2.
Upvotes: 8
Views: 5629
Answers (1)
Reputation: 3234
The list of loaded kernel modules and base addresses (including ntoskrnl) is stored in the list pointed by PsLoadedModuleList symbol.
Or use ZwQuerySystemInformation(SystemModuleInformation) instead.
For detailed information see http://alter.org.ua/docs/nt_kernel/procaddr/
Upvotes: 12
Related Questions
- Windows Symbol Address Definition
- Find base address for a module using WinDbg
- Windows Kernel: Retrieving function addresses inside modules
- How to get module image name from an arbitrary address in Windows kernel space?
- Getting Windows NT Kernel Object by Name from within a kernel driver
- Finding the kernel address of a loadable kernel module
- How to resolve symbols from memory addresses in nt.sys and w32k.sys
- WinDbg shows some variables but not others, shows some variables in same location
- Where can I find the api supported by kernel32.dll?
- Need a kernel mode API that will find the base address of user mode Win32 Dll