How do I get the address to kernel modules nt and win32k?

About

Asked 21/5, 2012 at 18:9 Answered 21/5, 2012 at 19:30

Solved windows windows-server-2008 windbg etw windows-kernel

I need to know the base addresses where nt and win32k are loaded. I can find out this information by booting the system with kernel debugging enabled, start a kernel debug session, and run the command lm to get a list of the loaded modules.

What I want to do is programmatically determine where these two modules are loaded without booting into debug mode and using the kernel debugger. I need the base addresses for resolving syscalls in an Event Tracing for Windows log file.

The system I am working on is running Windows Server 2008 R2.

Ulcerous answered 21/5, 2012 at 18:9 Comment(1)

nirsoft.net/utils/driverview.html – Mullins 14/3, 2021 at 15:38

The list of loaded kernel modules and base addresses (including ntoskrnl) is stored in the list pointed by PsLoadedModuleList symbol. Or use ZwQuerySystemInformation(SystemModuleInformation) instead.

For detailed information see http://alter.org.ua/docs/nt_kernel/procaddr/

Yecies answered 21/5, 2012 at 19:30 Comment(1)

Excellent. Thank you for the reference. This solution is great because it is useful for both kernel-mode and user-mode. Researching your answer also lead me to 2 other API calls, EnumDeviceDrivers and GetDeviceDriverBaseName that look like they accomplish the same thing. – Ulcerous 24/5, 2012 at 14:32

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags