kernel base address
in [Device Drivers]
|
Prev: MmAllocateContiguousMemory and non-paged pool size
Next: Our disk's driver run properly compiled for 32bit and not for
From: RossettoeCioccolato on 4 Mar 2010 10:17 Is there a canonical way to determine the base address of the NT kernel (or at least an undocumented but stable way) targeting Windows 2003 SP1 and later? Regards, Rossetoecioccolato.
From: Doron Holan [MSFT] on 4 Mar 2010 12:52 why? -- This posting is provided "AS IS" with no warranties, and confers no rights. "RossettoeCioccolato" <rossetoecioccolato(a)newsgroup.nospam> wrote in message news:OiRkX36uKHA.4220(a)TK2MSFTNGP05.phx.gbl... > Is there a canonical way to determine the base address of the NT kernel > (or at least an undocumented but stable way) targeting Windows 2003 SP1 > and later? > > Regards, > > Rossetoecioccolato. >
From: RossettoeCioccolato on 4 Mar 2010 13:26 Doron, > Why? < To calculate the RVA of a vector that is supposed to be located within the kernel. The absolute address of the vector may change but the RVA should remain constant across reboots unless the underlying code base changes. This application will tolerate an error in a small number of cases as long as the only consequence is that the calculated RVA will be incorrect (i.e. false positive). I am not planning on dereferencing the kernel base address, if that is your question. Regards, Rossetoecioccolato.
From: Maxim S. Shatskih on 4 Mar 2010 14:21 > kernel. The absolute address of the vector may change but the RVA should > remain constant across reboots unless the underlying code base changes. ....unless the security patch from Windows Update is installed. -- Maxim S. Shatskih Windows DDK MVP maxim(a)storagecraft.com http://www.storagecraft.com
From: RossettoeCioccolato on 4 Mar 2010 14:29
Maxim, > ...unless the security patch from Windows Update is installed. < That would be a change in the code base. Whether it is a malicious change or not depends on your point of view (and the location from which Windows Update pulled the patch). :-) Regards, Rossetoecioccolato. |