[myid]

I want to print IAT information of kernel module.
Sometimes, DataDir[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress is not a valid address (MmIsAddressValid return FALSE).
For example, DataDir[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress of NTOSKRNL is not valid.
But PCHunter32.exe can find out the IAT HOOK of NTOSKRNL.
Could someone tell me how to do that?

[EP_X0FF]

But PCHunter32.exe can find out the IAT HOOK of NTOSKRNL.
Could someone tell me how to do that?

Load it from file and parse.

[myid]

But PCHunter32.exe can find out the IAT HOOK of NTOSKRNL.
Could someone tell me how to do that?

Load it from file and parse.

Load a file and parse its PE structure is very easy. But I still cannot get current address.
For example, NTOSKRNL imports KDCOM!KdSave, some one modify the IAT of NTOSKRNL to hook it.
Get the real address of KDCOM!KdSave is easy, but how can I know this import function (KDCOM!KdSave) is hooked?
(I said on above: NTOSKRNL's DataDir[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress is not a valid address)

[Vrtule]

MmIsAddress tells you whether an access to a given virtual address causes a page fault. That does not necessarily mean that address is invalid. It may be the case that the page to which the address points to is not currently present in the physical memory and that it will be loaded from the paging file if you attempt to access it.

So, you should look at how the addresses you are wxamining with MmIsAddressvalid look like (if they look as kernel addresses or not) and possibly try to access their pages. Yeah, they may be invalid but such things may happen when you are examining memory regins not belonging to you.

[myid]

MmIsAddress tells you whether an access to a given virtual address causes a page fault. That does not necessarily mean that address is invalid. It may be the case that the page to which the address points to is not currently present in the physical memory and that it will be loaded from the paging file if you attempt to access it.

So, you should look at how the addresses you are wxamining with MmIsAddressvalid look like (if they look as kernel addresses or not) and possibly try to access their pages. Yeah, they may be invalid but such things may happen when you are examining memory regins not belonging to you.

How to make the virtual address present in the physical memory?

[Vrtule]

Try to assume the address is valid if it lies within the ntoskrnl.exe image mapped to memory.

[myid]

Try to assume the address is valid if it lies within the ntoskrnl.exe image mapped to memory.

No, it is not valid. If I access, it will cause BSOD.

[EP_X0FF]

Can you dump it with PCHunter?

[myid]

Can you dump it with PCHunter?

YES.

Actually, I just want to know how to walk the IAT of a loaded driver (when DataDir[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress is not valid).

[InUrFace]

You do know that this VirtualAddress is actually relative to the module base?