maysam
Reputation: 519
find base address of current procrss in kernel space
hi i will dump the other process in kernel driver
and use KeStackAttachProcess to change driver current context
after user-mode address changed how can find base address of current process i need base address for cast it to PIMAGE_DOS_HEADER( and parse it to find sections) can use PEB?
any other solution?
Upvotes: 1
Views: 5596
Answers (1)
Sergey Podobry
Reputation: 7189
There is a special API function for that:
NTKERNELAPI
PVOID
PsGetProcessSectionBaseAddress(
__in PEPROCESS Process
);
And you can use SectionBaseAddress field in the EPROCESS structure:
+0x128 SectionBaseAddress : 0x00400000 Void
It may vary in different OS versions.
Upvotes: 8
Related Questions
- How do I get the (physical) baseaddress of an .DLL used in a process?
- c/c++ how can i get base address of .exe running process?
- How to read Import Address Table, in a driver, from a PEPROCESS?
- How to get Device Instance Path from Windows kernel driver?
- Get base address of process
- How to get module image name from an arbitrary address in Windows kernel space?
- How to determine RVA of AddressOfEntryPoint from PE Headers Using Dumpbin
- Get lpbaseaddress of a suspended process
- obtain file base name
- Need a kernel mode API that will find the base address of user mode Win32 Dll