The following code I wrote works perfectly on 32 bit win 7 :
1. All LIST_ENTRIES were redefined as LIST_ENTRIES64 (respectively PLIST_ENTRIES64) - same result
2. Uncommented Padding1 and Padding2 since in the WRK sources they have put up comments that there should be ULONG paddings on IA64 (doubt it will work) - same result.
It is strange because even before I get into the loop I do list_entry manipulation by first setting the header to the previous entries, and then utilising the linked=list to point to the current (my driver) but on the second pass in the loop it crashes? :?:
Code: Select all
However on x64 bit win7 with PG disabled by fyyre's method it crashes when it tries to dereference ldrDataTableEntry->BaseDllName ON THE SECOND RUN. So the first time I'm in the loop ldrDataTableEntry points to the data_table_entry of my driver, but then on the second pass ldrDataTableEntry points to erroneous memory location and when RtlCompareUnicodeString tries to compare I get bugcheck invalid_memory?PVOID GetNtosBaseAddr(PDRIVER_OBJECT DriverObject) {
PKLDR_DATA_TABLE_ENTRY driverSection;
PKLDR_DATA_TABLE_ENTRY ldrDataTableEntry;
PVOID kernelBase = NULL;
PLIST_ENTRY headEntry;
PLIST_ENTRY currentEntry;
UNICODE_STRING ntosString = {0};
driverSection = (PKLDR_DATA_TABLE_ENTRY) DriverObject->DriverSection;
RtlInitUnicodeString(&ntosString, L"ntoskrnl.exe");
headEntry = driverSection->InLoadOrderLinks.Blink; //header points to prev entry
currentEntry = headEntry->Flink;
while(currentEntry != headEntry) {
ldrDataTableEntry = CONTAINING_RECORD(currentEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if(RtlCompareUnicodeString(&ntosString, &ldrDataTableEntry->BaseDllName, TRUE) == 0) {
DbgPrint("Found base address of NTOSKRNL: 0x%p\n", ldrDataTableEntry->DllBase );
kernelBase = ldrDataTableEntry->DllBase;
break;
}
currentEntry = currentEntry->Flink;
}
return kernelBase;
}Code: Select all
I have tried the following combination: typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
//ULONG padding1;
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused5;
PVOID SectionPointer;
ULONG CheckSum;
//ULONG Padding2;
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; 1. All LIST_ENTRIES were redefined as LIST_ENTRIES64 (respectively PLIST_ENTRIES64) - same result
2. Uncommented Padding1 and Padding2 since in the WRK sources they have put up comments that there should be ULONG paddings on IA64 (doubt it will work) - same result.
It is strange because even before I get into the loop I do list_entry manipulation by first setting the header to the previous entries, and then utilising the linked=list to point to the current (my driver) but on the second pass in the loop it crashes? :?:
