A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #3208  by Alex
 Sun Oct 24, 2010 4:54 pm
It depends what for do you need these information. If you are sure that ZwQuerySystemInformation service isn't hooked and data stored by the PsLoadedModuleList list are correct you can use ZwQuerySystemInformation(SystemModuleInformation) or read these data from the PsLoadedModuleList (LDR_DATA_TABLE_ENTRY) directly. You can also find nt address inside KdVersionBlock. Finally you can use one of fallowing methods described in the Windows Kernel-mode Payload Fundamentals article. If nt's PE header isn't destroyed you can use it to obtain image size.
 #3212  by driverobject
 Mon Oct 25, 2010 7:59 am
Thanks Alex, very useful information.

Would it be safe to assume that the image base or module start address will not be changed even if ZwQuerySystemInformation is modified? Based on the fact that this would not be of benefit to the rootkit?

Combining the 2 techniques you have outlined below would the steps below be a logical way to detect modification of the kernel then?

1. Get the image size from the PE image of nt on disk.
2. Get the image size by calling ZwQuerySystemInformation.
3. Compare the two and if there is a difference alert that there is modification.

And in addition to that is there any legit use of NT kernel modification that Microsoft itself would do?

Thanks..