Hi,
Assuming that one function can be viewed in windbg like this:
804e3c06 ff2508355580 jmp dword ptr [nt!blahblahblah (80553508)]
804e3c0c 90 nop
804e3c0d 90 nop
now going to address 80553508
I can see it's code.
Now I'm calculating RVA of this address: 80553508 - KernelBase. Now I'm converting this Rva2Offset in ntoskrnl.exe (however it seems that this particular file is properly aligned, so I can skip this step). Then I'm opening ntoskrl.exe in hex editor , going to address that is equal to RVA and I can see ff2508c54700 which seems to be correct since, ff35 is opcode, and 0047c508 - 0x400000(image base) +kernel base = 80553508.
Now my problem is that I need to look under this address (in file: va:0047c508, rva:0007c508) in file, but when I'm going to this address in hex editor I'm seeing '0'... what I'm missing here? I assume that something with relocations, Can you give me a way how can I read proper values under this address?
Thanks.
Assuming that one function can be viewed in windbg like this:
804e3c06 ff2508355580 jmp dword ptr [nt!blahblahblah (80553508)]
804e3c0c 90 nop
804e3c0d 90 nop
now going to address 80553508
I can see it's code.
Now I'm calculating RVA of this address: 80553508 - KernelBase. Now I'm converting this Rva2Offset in ntoskrnl.exe (however it seems that this particular file is properly aligned, so I can skip this step). Then I'm opening ntoskrl.exe in hex editor , going to address that is equal to RVA and I can see ff2508c54700 which seems to be correct since, ff35 is opcode, and 0047c508 - 0x400000(image base) +kernel base = 80553508.
Now my problem is that I need to look under this address (in file: va:0047c508, rva:0007c508) in file, but when I'm going to this address in hex editor I'm seeing '0'... what I'm missing here? I assume that something with relocations, Can you give me a way how can I read proper values under this address?
Thanks.
