'How to locate address of a function using base address of the executable?

OK so I have the base address of ntoskrnl.exe and want to locate the address of an internal function that is neither exported or imported. How can this be done in kernel mode ?

cwindowskernel


Solution 1:[1]

You can pattern scan for the function, or it has a static RVA. There are many ways, but the easiest is by creating a signature (for example with SigMaker in IDA Pro) and scanning for it inside your module.

For exported routines this is much easier:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmgetsystemroutineaddress

For within a specific module, you can manually walk the EAT (Export Address Table).

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Lucas Breeden

Related Questions

Implicit declaration of functions srand, rand and system

Implicit declaration of functions srand, rand and system

Implicit declaration of functions srand, rand and system

hex code implementation for spawning a shell

hex code implementation for spawning a shell

hex code implementation for spawning a shell

warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘char (*)’

Minimal implementation of sprintf or printf

warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘char (*)’

Minimal implementation of sprintf or printf

How to hide helper functions from public API in c

VS Code C Error - Invalid Active Developer Path

In C is it faster to use the standard library or write your own function?

Finding consecutive bit string of 1 or 0

What is the simplest way of implementing bigint in C?