[Brock]

Does the address that ZwClosePtr points to match that of MmGetSystemRoutineAddress for "ZwClose"?

[r2nwcnydc]

Computed offset is the address I get from dumping the ntoskrnl EAT subtracted by default image base. I then add that offset to the kernel base I obtain in my driver, which I check to make sure is correct with DbgPrint.

The EAT is an array of RVAs, which are relative to the image base. So you don't need to subtract the default image base, because the base has not been added to the address.
For example, if we had a virtual address of 82882d7c for ZwClose and a base of 82842000 for ntoskrnl:
RVA (relative to image base) = 00040D7C
VA (relative to zero) = 82882d7c


From Page 71 of the PE-COFF spec from microsoft (http://msdn.microsoft.com/en-us/windows ... e/gg463119):

Export address table - An array of RVAs of exported symbols. These are the actual addresses of the exported functions and data within the executable code and data sections. Other image files can import a symbol by using an index to this table (an ordinal) or, optionally, by using the public name that corresponds to the ordinal if a public name is defined.

[_Lynn]

Yeh I realized I made that mistake at first. I just wrote my own implementation of GetProcAddress for fun, but that still leaves me with the fact that in w7 x64 not all system calls exported in ntdll are exported by ntoskrnl. Some are simply missing, hense the need to locate the SSDT.