A forum for reverse engineering, OS internals and malware analysis 

BSOD when walk IAT of NTOSKRNL.EXE

Forum for discussion about kernel-mode development.

BSOD when walk IAT of NTOSKRNL.EXE

 #23130  by fsdhook
 Tue Jun 17, 2014 8:35 am
I have a strange problem.
I want to walk IAT of NTOSKRNL.EXE in kernel-mode.
I get the base address of NTOSKRNL.EXE correctly.
But pImportTable is not a valid address, why?
Code: Select all
VOID NativeGetImportFunctionAddress(SIZE_T uModBase, CHAR *cSearchFnName)
{
	IMAGE_DOS_HEADER *doshdr;
	#ifdef AMD64
	IMAGE_OPTIONAL_HEADER64 *opthdr;
	#else
	IMAGE_OPTIONAL_HEADER32 *opthdr;
	#endif
	PIMAGE_IMPORT_DESCRIPTOR pImportTable;
	PIMAGE_THUNK_DATA pThunk=NULL;
	ULONG dwThunk=0;
	USHORT Hint;
	//
	doshdr = (IMAGE_DOS_HEADER *)uModBase;
	if (NULL == doshdr)
	{
		goto __exit;
	}
	#ifdef AMD64
	opthdr = (IMAGE_OPTIONAL_HEADER64 *)(uModBase + doshdr->e_lfanew + 24); //24=sizeof(ULONG)+sizeof(IMAGE_FILE_HEADER)
	#else
	opthdr = (IMAGE_OPTIONAL_HEADER32 *)(uModBase + doshdr->e_lfanew + 24);
	#endif
	if (NULL == opthdr)
	{
		goto __exit;
	}
	pImportTable = (IMAGE_IMPORT_DESCRIPTOR *)(uModBase + opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
	if (NULL == pImportTable)
	{
		goto __exit;
	}
	DbgPrint("pImportTable=%p\n",pImportTable); //This address is not valid.
	/*while ( pImportTable->Characteristics != 0 )
	{
		//DbgPrint("[%s]\n",uModBase + pImportTable->Name);
		//pThunk = ( IMAGE_THUNK_DATA* )(uModBase + pImportTable->FirstThunk );
		//break;
		pImportTable++;
	}*/
__exit:
	return;
}

Re: BSOD when walk IAT of NTOSKRNL.EXE

 #23141  by fsdhook
 Wed Jun 18, 2014 12:11 am
EP_X0FF wrote:Even if you put simple "getprocaddress" in google you will find a number of ready to copy-paste solutions, e.g. http://alter.org.ua/docs/nt_kernel/procaddr/
Not to mention MmGeSystemRoutineAddress you are trying to reinvent.
Hey, don't be angry, man.
I want to walk IAT (not EAT) of NTOSKRNL.EXE in kernel-mode.
Print the information of IAT like LordPE.

Re: BSOD when walk IAT of NTOSKRNL.EXE

 #23142  by EP_X0FF
 Wed Jun 18, 2014 3:06 am
And? There is a astronomical difference?
Code: Select all
lkd> !dh nt -f

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
      18 number of sections
531590FB time date stamp Tue Mar 04 16:38:19 2014

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
    9.00 linker version
  47A400 size of code
   CFA00 size of initialized data
    3400 size of uninitialized data
  2B36F0 address of entry point
    1000 base of code
         ----- new -----
0000000140000000 image base
    1000 section alignment
     200 file alignment
       1 subsystem (Native)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
  5E5000 size of image
     600 size of headers
  554C03 checksum
0000000000080000 size of stack reserve
0000000000002000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
       0  DLL characteristics
  530000 [   109BC] address [size] of Export Directory
  5AA7DC [      78] address [size] of Import Directory
  5AC000 [   35F3C] address [size] of Resource Directory
  27D000 [   2FD48] address [size] of Exception Directory
  549400 [    1BC0] address [size] of Security Directory
  5E2000 [    2078] address [size] of Base Relocation Directory
  1A1F20 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
  1AC000 [     380] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

lkd> dps nt+1AC000  nt+1AC000+380
fffff800`03203000  fffff880`00c92428 PSHED!PshedEnableErrorSource
fffff800`03203008  fffff880`00c923d8 PSHED!PshedSetErrorSourceInfo
fffff800`03203010  fffff880`00c92464 PSHED!PshedDisableErrorSource
fffff800`03203018  fffff880`00c924b4 PSHED!PshedGetInjectionCapabilities
fffff800`03203020  fffff880`00c924f0 PSHED!PshedInjectError
fffff800`03203028  fffff880`00c92358 PSHED!PshedFinalizeErrorRecord
fffff800`03203030  fffff880`00c923c8 PSHED!PshedBugCheckSystem
fffff800`03203038  fffff880`00c92390 PSHED!PshedAttemptErrorRecovery
fffff800`03203040  fffff880`00c92a64 PSHED!PshedWriteErrorRecord
fffff800`03203048  fffff880`00c9c020 PSHED!PshedFreeMemory
fffff800`03203050  fffff880`00c92320 PSHED!PshedClearErrorRecord
fffff800`03203058  fffff880`00c928d8 PSHED!PshedIsSystemWheaEnabled
fffff800`03203060  fffff880`00c9e244 PSHED!PshedInitialize
fffff800`03203068  fffff880`00c92214 PSHED!PshedReadErrorRecord
fffff800`03203070  fffff880`00c9c008 PSHED!PshedAllocateMemory
fffff800`03203078  fffff880`00c926ec PSHED!PshedGetBootErrorPacket
fffff800`03203080  fffff880`00c92118 PSHED!PshedGetAllErrorSources
fffff800`03203088  00000000`00000000
fffff800`03203090  fffff800`03020ad0 hal!HalIsHyperThreadingEnabled
fffff800`03203098  fffff800`03020a44 hal!HalEnumerateProcessors
fffff800`032030a0  fffff800`03020ae0 hal!HalQueryMaximumProcessorCount
fffff800`032030a8  fffff800`030226f8 hal!HalStartNextProcessor
fffff800`032030b0  fffff800`03023b1c hal!HalRegisterDynamicProcessor
fffff800`032030b8  fffff800`03022588 hal!HalStartDynamicProcessor
fffff800`032030c0  fffff800`03014fa0 hal!HalInitializeProcessor
fffff800`032030c8  fffff800`03015b38 hal!HalSendSoftwareInterrupt
fffff800`032030d0  fffff800`0301d528 hal!HalCalibratePerformanceCounter
fffff800`032030d8  fffff800`0301d8f8 hal!KeStallExecutionProcessor
fffff800`032030e0  fffff800`030190dc hal!HalEnableInterrupt
fffff800`032030e8  fffff800`030215d0 hal!HalRequestClockInterrupt
fffff800`032030f0  fffff800`0301dbe4 hal!HalSetProfileInterval
fffff800`032030f8  fffff800`0301dabc hal!HalStartProfileInterrupt
fffff800`03203100  fffff800`0301db38 hal!HalStopProfileInterrupt
fffff800`03203108  fffff800`0301a658 hal!HalHandleNMI
fffff800`03203110  fffff800`03033b50 hal!HalPerformEndOfInterrupt
fffff800`03203118  fffff800`03015a90 hal!HalRequestSoftwareInterrupt
fffff800`03203120  fffff800`03013e48 hal!HalHandleMcheck
fffff800`03203128  fffff800`030215b0 hal!HalRequestIpi
fffff800`03203130  fffff800`0301916c hal!HalDisableInterrupt
fffff800`03203138  fffff800`0301700c hal!HalAcquireDisplayOwnership
fffff800`03203140  fffff800`03023440 hal!HalGetInterruptTargetInformation
fffff800`03203148  fffff800`030211cc hal!HalInitializeOnResume
fffff800`03203150  fffff800`0302b7d0 hal!HalProcessorIdle
fffff800`03203158  fffff800`0301324c hal!HalAllocateCrashDumpRegisters
fffff800`03203160  fffff800`0301d3ac hal!HalSetTimeIncrement
fffff800`03203168  fffff800`030177e8 hal!HalGetEnvironmentVariable
fffff800`03203170  fffff800`03017880 hal!HalSetEnvironmentVariable
fffff800`03203178  fffff800`0301794c hal!HalGetEnvironmentVariableEx
fffff800`03203180  fffff800`03017a58 hal!HalSetEnvironmentVariableEx
fffff800`03203188  fffff800`03017aec hal!HalEnumerateEnvironmentVariablesEx
fffff800`03203190  fffff800`030179e4 hal!HalQueryEnvironmentVariableInfoEx
fffff800`03203198  fffff800`0301daa4 hal!HalSetRealTimeClock
fffff800`032031a0  fffff800`0301bc6c hal!HalSetBusDataByOffset
fffff800`032031a8  fffff800`0301bb8c hal!HalGetBusDataByOffset
fffff800`032031b0  fffff800`03017d68 hal!HalReturnToFirmware
fffff800`032031b8  fffff800`0302274c hal!HalGetProcessorIdByNtNumber
fffff800`032031c0  fffff800`0301bd18 hal!HalTranslateBusAddress
fffff800`032031c8  fffff800`03023650 hal!HalGetMessageRoutingInfo
fffff800`032031d0  fffff800`03023900 hal!HalGetVectorInput
fffff800`032031d8  fffff800`0304e91c hal!HalRegisterErrataCallbacks
fffff800`032031e0  fffff800`0301d6f4 hal!KeQueryPerformanceCounter
fffff800`032031e8  fffff800`030147a8 hal!HalRequestDeferredRecoveryServiceInterrupt
fffff800`032031f0  fffff800`03044378 hal!HalAllProcessorsStarted
fffff800`032031f8  fffff800`03042fd8 hal!HalInitSystem
fffff800`03203200  fffff800`0301da8c hal!HalQueryRealTimeClock
fffff800`03203208  fffff800`0301f318 hal!HalInitializeBios
fffff800`03203210  fffff800`030525d8 hal!HalReportResourceUsage
fffff800`03203218  fffff800`030215f0 hal!HalSendNMI
fffff800`03203220  00000000`00000000
fffff800`03203228  fffff800`00bbe014 kdcom!KdD3Transition
fffff800`03203230  fffff800`00bbe014 kdcom!KdD3Transition
fffff800`03203238  fffff800`00bbe228 kdcom!KdReceivePacket
fffff800`03203240  fffff800`00bbe608 kdcom!KdSendPacket
fffff800`03203248  fffff800`00bbe158 kdcom!KdRestore
fffff800`03203250  fffff800`00bbe144 kdcom!KdSave
fffff800`03203258  fffff800`00bbe020 kdcom!KdDebuggerInitialize0
fffff800`03203260  fffff800`00bbe104 kdcom!KdDebuggerInitialize1
fffff800`03203268  00000000`00000000
fffff800`03203270  fffff880`00cf00d4 CLFS!ClfsAdvanceLogBase
fffff800`03203278  fffff880`00cf2880 CLFS!ClfsMgmtTailAdvanceFailure
fffff800`03203280  fffff880`00cb5c04 CLFS!ClfsPrivGetBaseLogFileFromFileObjectPointer
fffff800`03203288  fffff880`00cf27fc CLFS!ClfsMgmtHandleLogFileFull
fffff800`03203290  fffff880`00cb388c CLFS!ClfsLsnGreater
fffff800`03203298  fffff880`00cf05e4 CLFS!ClfsReserveAndAppendLogAligned
fffff800`032032a0  fffff880`00cf2990 CLFS!ClfsMgmtSetLogFileSize
fffff800`032032a8  fffff880`00cb3c80 CLFS!ClfsLsnDifference
fffff800`032032b0  fffff880`00cecb90 CLFS!ClfsAddLogContainer
fffff800`032032b8  fffff880`00ceed30 CLFS!ClfsCreateMarshallingArea
fffff800`032032c0  fffff880`00cb37f8 CLFS!ClfsLsnLess
fffff800`032032c8  fffff880`00ca6fe4 CLFS!ClfsLsnContainer
fffff800`032032d0  fffff880`00cf1a8c CLFS!ClfsFlushToLsn
fffff800`032032d8  fffff880`00cb1660 CLFS!ClfsLsnInvalid
fffff800`032032e0  fffff880`00cee89c CLFS!ClfsGetLogFileInformation
fffff800`032032e8  fffff880`00cf25c0 CLFS!ClfsMgmtDeregisterManagedClient
fffff800`032032f0  fffff880`00cf23fc CLFS!ClfsCloseLogFileObject
fffff800`032032f8  fffff880`00cf2610 CLFS!ClfsMgmtInstallPolicy
fffff800`03203300  fffff880`00cf25b0 CLFS!ClfsMgmtRegisterManagedClient
fffff800`03203308  fffff880`00ceb6cc CLFS!ClfsCreateLogFile
fffff800`03203310  fffff880`00cb85e0 CLFS!CLFS_LSN_INVALID
fffff800`03203318  fffff880`00ca6fc8 CLFS!ClfsLsnEqual
fffff800`03203320  fffff880`00cf0e4c CLFS!ClfsReadLogRecord
fffff800`03203328  fffff880`00cf10e0 CLFS!ClfsReadNextLogRecord
fffff800`03203330  fffff880`00cf20e4 CLFS!ClfsTerminateReadLog
fffff800`03203338  fffff880`00cef944 CLFS!ClfsWriteRestartArea
fffff800`03203340  fffff880`00cec960 CLFS!ClfsDeleteLogByPointer
fffff800`03203348  fffff880`00cef17c CLFS!ClfsDeleteMarshallingArea
fffff800`03203350  fffff880`00cb85e8 CLFS!CLFS_LSN_NULL
fffff800`03203358  fffff880`00cf0588 CLFS!ClfsReserveAndAppendLog
fffff800`03203360  fffff880`00cef2c8 CLFS!ClfsReadRestartArea
fffff800`03203368  00000000`00000000
fffff800`03203370  fffff880`00d0d008 CI!CiInitialize
fffff800`03203378  00000000`00000000
fffff800`03203380  0000296c`6c756e28

Re: BSOD when walk IAT of NTOSKRNL.EXE

 #23143  by fsdhook
 Wed Jun 18, 2014 3:21 am
EP_X0FF wrote:And? There is a astronomical difference?
Code: Select all
lkd> !dh nt -f

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
      18 number of sections
531590FB time date stamp Tue Mar 04 16:38:19 2014

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
    9.00 linker version
  47A400 size of code
   CFA00 size of initialized data
    3400 size of uninitialized data
  2B36F0 address of entry point
    1000 base of code
         ----- new -----
0000000140000000 image base
    1000 section alignment
     200 file alignment
       1 subsystem (Native)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
  5E5000 size of image
     600 size of headers
  554C03 checksum
0000000000080000 size of stack reserve
0000000000002000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
       0  DLL characteristics
  530000 [   109BC] address [size] of Export Directory
  5AA7DC [      78] address [size] of Import Directory
  5AC000 [   35F3C] address [size] of Resource Directory
  27D000 [   2FD48] address [size] of Exception Directory
  549400 [    1BC0] address [size] of Security Directory
  5E2000 [    2078] address [size] of Base Relocation Directory
  1A1F20 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
  1AC000 [     380] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

lkd> dps nt+1AC000  nt+1AC000+380
fffff800`03203000  fffff880`00c92428 PSHED!PshedEnableErrorSource
fffff800`03203008  fffff880`00c923d8 PSHED!PshedSetErrorSourceInfo
fffff800`03203010  fffff880`00c92464 PSHED!PshedDisableErrorSource
fffff800`03203018  fffff880`00c924b4 PSHED!PshedGetInjectionCapabilities
fffff800`03203020  fffff880`00c924f0 PSHED!PshedInjectError
fffff800`03203028  fffff880`00c92358 PSHED!PshedFinalizeErrorRecord
fffff800`03203030  fffff880`00c923c8 PSHED!PshedBugCheckSystem
fffff800`03203038  fffff880`00c92390 PSHED!PshedAttemptErrorRecovery
fffff800`03203040  fffff880`00c92a64 PSHED!PshedWriteErrorRecord
fffff800`03203048  fffff880`00c9c020 PSHED!PshedFreeMemory
fffff800`03203050  fffff880`00c92320 PSHED!PshedClearErrorRecord
fffff800`03203058  fffff880`00c928d8 PSHED!PshedIsSystemWheaEnabled
fffff800`03203060  fffff880`00c9e244 PSHED!PshedInitialize
fffff800`03203068  fffff880`00c92214 PSHED!PshedReadErrorRecord
fffff800`03203070  fffff880`00c9c008 PSHED!PshedAllocateMemory
fffff800`03203078  fffff880`00c926ec PSHED!PshedGetBootErrorPacket
fffff800`03203080  fffff880`00c92118 PSHED!PshedGetAllErrorSources
fffff800`03203088  00000000`00000000
fffff800`03203090  fffff800`03020ad0 hal!HalIsHyperThreadingEnabled
fffff800`03203098  fffff800`03020a44 hal!HalEnumerateProcessors
fffff800`032030a0  fffff800`03020ae0 hal!HalQueryMaximumProcessorCount
fffff800`032030a8  fffff800`030226f8 hal!HalStartNextProcessor
fffff800`032030b0  fffff800`03023b1c hal!HalRegisterDynamicProcessor
fffff800`032030b8  fffff800`03022588 hal!HalStartDynamicProcessor
fffff800`032030c0  fffff800`03014fa0 hal!HalInitializeProcessor
fffff800`032030c8  fffff800`03015b38 hal!HalSendSoftwareInterrupt
fffff800`032030d0  fffff800`0301d528 hal!HalCalibratePerformanceCounter
fffff800`032030d8  fffff800`0301d8f8 hal!KeStallExecutionProcessor
fffff800`032030e0  fffff800`030190dc hal!HalEnableInterrupt
fffff800`032030e8  fffff800`030215d0 hal!HalRequestClockInterrupt
fffff800`032030f0  fffff800`0301dbe4 hal!HalSetProfileInterval
fffff800`032030f8  fffff800`0301dabc hal!HalStartProfileInterrupt
fffff800`03203100  fffff800`0301db38 hal!HalStopProfileInterrupt
fffff800`03203108  fffff800`0301a658 hal!HalHandleNMI
fffff800`03203110  fffff800`03033b50 hal!HalPerformEndOfInterrupt
fffff800`03203118  fffff800`03015a90 hal!HalRequestSoftwareInterrupt
fffff800`03203120  fffff800`03013e48 hal!HalHandleMcheck
fffff800`03203128  fffff800`030215b0 hal!HalRequestIpi
fffff800`03203130  fffff800`0301916c hal!HalDisableInterrupt
fffff800`03203138  fffff800`0301700c hal!HalAcquireDisplayOwnership
fffff800`03203140  fffff800`03023440 hal!HalGetInterruptTargetInformation
fffff800`03203148  fffff800`030211cc hal!HalInitializeOnResume
fffff800`03203150  fffff800`0302b7d0 hal!HalProcessorIdle
fffff800`03203158  fffff800`0301324c hal!HalAllocateCrashDumpRegisters
fffff800`03203160  fffff800`0301d3ac hal!HalSetTimeIncrement
fffff800`03203168  fffff800`030177e8 hal!HalGetEnvironmentVariable
fffff800`03203170  fffff800`03017880 hal!HalSetEnvironmentVariable
fffff800`03203178  fffff800`0301794c hal!HalGetEnvironmentVariableEx
fffff800`03203180  fffff800`03017a58 hal!HalSetEnvironmentVariableEx
fffff800`03203188  fffff800`03017aec hal!HalEnumerateEnvironmentVariablesEx
fffff800`03203190  fffff800`030179e4 hal!HalQueryEnvironmentVariableInfoEx
fffff800`03203198  fffff800`0301daa4 hal!HalSetRealTimeClock
fffff800`032031a0  fffff800`0301bc6c hal!HalSetBusDataByOffset
fffff800`032031a8  fffff800`0301bb8c hal!HalGetBusDataByOffset
fffff800`032031b0  fffff800`03017d68 hal!HalReturnToFirmware
fffff800`032031b8  fffff800`0302274c hal!HalGetProcessorIdByNtNumber
fffff800`032031c0  fffff800`0301bd18 hal!HalTranslateBusAddress
fffff800`032031c8  fffff800`03023650 hal!HalGetMessageRoutingInfo
fffff800`032031d0  fffff800`03023900 hal!HalGetVectorInput
fffff800`032031d8  fffff800`0304e91c hal!HalRegisterErrataCallbacks
fffff800`032031e0  fffff800`0301d6f4 hal!KeQueryPerformanceCounter
fffff800`032031e8  fffff800`030147a8 hal!HalRequestDeferredRecoveryServiceInterrupt
fffff800`032031f0  fffff800`03044378 hal!HalAllProcessorsStarted
fffff800`032031f8  fffff800`03042fd8 hal!HalInitSystem
fffff800`03203200  fffff800`0301da8c hal!HalQueryRealTimeClock
fffff800`03203208  fffff800`0301f318 hal!HalInitializeBios
fffff800`03203210  fffff800`030525d8 hal!HalReportResourceUsage
fffff800`03203218  fffff800`030215f0 hal!HalSendNMI
fffff800`03203220  00000000`00000000
fffff800`03203228  fffff800`00bbe014 kdcom!KdD3Transition
fffff800`03203230  fffff800`00bbe014 kdcom!KdD3Transition
fffff800`03203238  fffff800`00bbe228 kdcom!KdReceivePacket
fffff800`03203240  fffff800`00bbe608 kdcom!KdSendPacket
fffff800`03203248  fffff800`00bbe158 kdcom!KdRestore
fffff800`03203250  fffff800`00bbe144 kdcom!KdSave
fffff800`03203258  fffff800`00bbe020 kdcom!KdDebuggerInitialize0
fffff800`03203260  fffff800`00bbe104 kdcom!KdDebuggerInitialize1
fffff800`03203268  00000000`00000000
fffff800`03203270  fffff880`00cf00d4 CLFS!ClfsAdvanceLogBase
fffff800`03203278  fffff880`00cf2880 CLFS!ClfsMgmtTailAdvanceFailure
fffff800`03203280  fffff880`00cb5c04 CLFS!ClfsPrivGetBaseLogFileFromFileObjectPointer
fffff800`03203288  fffff880`00cf27fc CLFS!ClfsMgmtHandleLogFileFull
fffff800`03203290  fffff880`00cb388c CLFS!ClfsLsnGreater
fffff800`03203298  fffff880`00cf05e4 CLFS!ClfsReserveAndAppendLogAligned
fffff800`032032a0  fffff880`00cf2990 CLFS!ClfsMgmtSetLogFileSize
fffff800`032032a8  fffff880`00cb3c80 CLFS!ClfsLsnDifference
fffff800`032032b0  fffff880`00cecb90 CLFS!ClfsAddLogContainer
fffff800`032032b8  fffff880`00ceed30 CLFS!ClfsCreateMarshallingArea
fffff800`032032c0  fffff880`00cb37f8 CLFS!ClfsLsnLess
fffff800`032032c8  fffff880`00ca6fe4 CLFS!ClfsLsnContainer
fffff800`032032d0  fffff880`00cf1a8c CLFS!ClfsFlushToLsn
fffff800`032032d8  fffff880`00cb1660 CLFS!ClfsLsnInvalid
fffff800`032032e0  fffff880`00cee89c CLFS!ClfsGetLogFileInformation
fffff800`032032e8  fffff880`00cf25c0 CLFS!ClfsMgmtDeregisterManagedClient
fffff800`032032f0  fffff880`00cf23fc CLFS!ClfsCloseLogFileObject
fffff800`032032f8  fffff880`00cf2610 CLFS!ClfsMgmtInstallPolicy
fffff800`03203300  fffff880`00cf25b0 CLFS!ClfsMgmtRegisterManagedClient
fffff800`03203308  fffff880`00ceb6cc CLFS!ClfsCreateLogFile
fffff800`03203310  fffff880`00cb85e0 CLFS!CLFS_LSN_INVALID
fffff800`03203318  fffff880`00ca6fc8 CLFS!ClfsLsnEqual
fffff800`03203320  fffff880`00cf0e4c CLFS!ClfsReadLogRecord
fffff800`03203328  fffff880`00cf10e0 CLFS!ClfsReadNextLogRecord
fffff800`03203330  fffff880`00cf20e4 CLFS!ClfsTerminateReadLog
fffff800`03203338  fffff880`00cef944 CLFS!ClfsWriteRestartArea
fffff800`03203340  fffff880`00cec960 CLFS!ClfsDeleteLogByPointer
fffff800`03203348  fffff880`00cef17c CLFS!ClfsDeleteMarshallingArea
fffff800`03203350  fffff880`00cb85e8 CLFS!CLFS_LSN_NULL
fffff800`03203358  fffff880`00cf0588 CLFS!ClfsReserveAndAppendLog
fffff800`03203360  fffff880`00cef2c8 CLFS!ClfsReadRestartArea
fffff800`03203368  00000000`00000000
fffff800`03203370  fffff880`00d0d008 CI!CiInitialize
fffff800`03203378  00000000`00000000
fffff800`03203380  0000296c`6c756e28
I am sorry man.
I really don't know how to print IAT information(module, function, address, etc...) of NTOSKRNL module in driver. :(
Can you give me more tips? :mrgreen:

Re: BSOD when walk IAT of NTOSKRNL.EXE

 #23152  by Vrtule
 Wed Jun 18, 2014 6:44 pm
Did you tried your code for some user mode DLLs/EXEs? You can also make a debug print after every line of your code so you will see when something goes wrong (and how).

Re: BSOD when walk IAT of NTOSKRNL.EXE

 #23156  by EP_X0FF
 Thu Jun 19, 2014 8:18 am
Do as Vrtule posted and check structures align and variables size.

Re: BSOD when walk IAT of NTOSKRNL.EXE

 #23158  by Vrtule
 Thu Jun 19, 2014 10:03 pm
You can also look how others work with the IAT (as EP suggested). For example, you can view the code of the SSTS64 proejct hosted at matousec.com. The codebase is quite large and includes routines working with PE files (fixing import table, a variant of GetProcessAddress, removing inline hooks from exported symbols, processing relocations...). I have ported several of them to kernel mode with no problems.

Re: BSOD when walk IAT of NTOSKRNL.EXE

 #23163  by fsdhook
 Fri Jun 20, 2014 9:57 am
EP_X0FF wrote:Do as Vrtule posted and check structures align and variables size.
Thanks you, man.
I can get IAT function address by programming.
But I cannot get IAT function name. How to do it by WINDBG or programming?
Actually, WINDBG shows that ImportTable (NtHeader->OptionalHeader.DataDirectory[1].VirtualAddress) is not a valid address:
Code: Select all
lkd>  !dh nt -f

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
      18 number of sections
4CE7951A time date stamp Sat Nov 20 17:30:02 2010

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
    9.00 linker version
  47D200 size of code
   D0200 size of initialized data
    3400 size of uninitialized data
  2B66F0 address of entry point
    1000 base of code
         ----- new -----
0000000140000000 image base
    1000 section alignment
     200 file alignment
       1 subsystem (Native)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
  5EA000 size of image
     600 size of headers
  55BBAA checksum
0000000000080000 size of stack reserve
0000000000002000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
       0  DLL characteristics
  535000 [   10978] address [size] of Export Directory
  5AF718 [      78] address [size] of Import Directory
  5B1000 [   35F60] address [size] of Resource Directory
  280000 [   300D8] address [size] of Exception Directory
  54CA00 [    1B80] address [size] of Security Directory
  5E7000 [    2070] address [size] of Base Relocation Directory
  1A3290 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
  1AE000 [     380] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

lkd> db nt+5AF718 nt+5AF718+78
fffff800`01dc0718  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0728  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0738  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0748  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0758  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0768  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0778  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
fffff800`01dc0788  ?? ?? ?? ?? ?? ?? ?? ??-??                       ?????????

Re: BSOD when walk IAT of NTOSKRNL.EXE

 #23165  by Vrtule
 Fri Jun 20, 2014 11:21 am
Well, If I correctly read the IAT address as 0x1AE000, it looks like as an offset rather than address (maybe, WinDbg reads the information form the file, not from memory... I am not sure since I have never used this command). So, you can try to add this value to the base address of ntoskrnl.exe in memory.
 Return to “Kernel-Mode Development”