2 minutes read

Many functions and structures are not exported by nt , such as PsGetNextProcess function, KeServiceDescriptorTable and many others.

How can we get virtual addresses of desired functions and/or structures?

There are methods which use pattern matching to find specific functions and/or structures inside that function, but this way of finding is unreliable (due to changes from MS can break our pattern matching algorithm).

What about using Debug Help Library from Microsoft? We can access the symbolic debugging information of an image, such as %systemroot%/system32/ntoskrnl.exe , extract RVA for desired function/structure and add to address of nt .

I’m using EnumDeviceDrivers from Psapi to get an address of ntoskrnl.exe , and SymFromName to get symbolic information of a function/structure.

I’m assuming that target system does not contain any debugging related executables, such as symchk.exe , SymSrv.dll , etc.

To get .pdb file, which contains debugging inforamtion for ntoskrnl.exe we need to download it manually using symchk.exe :

We can find symchk.exe under C:\Program Files (x86)\Windows Kits\10\Debuggers\x64 on Windows 10, symchk.exe uses SymbolCheck.dll , SymSrv.dll and DbgHelp.dll .

It’s a good idea to embed all necessary files into main executable and extract them at run-time, we need following additional executables: DbgHelp.dll , SymbolCheck.dll , symchk.exe and SymSrv.dll

Example source code:

Advantages of this method:

Under right circumstances, we get accurate information.

Cross-platform ?

Disadvantages of this method:

We need user-mode process

We need Internet connection

Size of user-mode application is quite large due to it contains several executables.

Thank you for your time…

Twitter: @_qaz_qaz