[fire_the_hole]

//sorry my english is poor.
how to loate the specify driver module who owns a specify address.

i want to know which rootkit hook the specify address
for example:
8053e628 90 nop
8053e629 e962aecc31 jmp b2209490 // this is a inline hook

i want to know b2209490 belongs to which module ?
this is what i do:
kd> !vm b2209490

*** Virtual Memory Usage ***
Physical Memory: 130940 ( 523760 Kb)
Page File: \??\C:\pagefile.sys
...

maybe the specify module has been exchange to disk.so windows tell me it locates in pagefile.
.Now How can i know what is the module in pagefile?

[R00tKit]

hi

Code: Select all

ln <address> 

will give you the closest matching symbols (which contains
the module name)

Code: Select all

lm -a <address> 

will give the module the address is in.

[fire_the_hole]

thank you .but even "lm " will list only so little info:
kd> lm
start end module name
804d8000 806d0480 nt (pdb symbols) d:\symbol\ntkrnlpa.pdb\30B5FB31AE7E4ACAABA750AA241FF3311\ntkrnlpa.pdb

Unloaded modules:
f899a000 f899f000 Cdaudio.SYS
f837c000 f837f000 Sfloppy.SYS

so i don't think lm a address will help.

[Vrtule]

i want to know b2209490 belongs to which module ?

Well, lm <address> should show you this. What else do you want to know?