Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "how to obtain ntoskrnl.exe base address". In the actual case operation process, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations! I hope you can read carefully and learn something!

directory

Driving object explanation

1.1 structure

1.2 Output code Output basic drive object information

1.3 results

Driving object explanation 1. Driving object 1.1 Structure

In the kernel. Each driver module is a driver object. is represented by a DRIVER_OBJECT structure. Think of the driver object as a process container. accommodate all kinds of things.

Let's do a simple member output for the driver object. To familiarize yourself with the drive object.

The drive object structure is as follows:

typedef struct _DRIVER_OBJECT {CSHORT Type;CSHORT Size;//// The following links all of the devices created by a single driver// together on a list, and the Flags word provides an extensible flag// location for driver objects.// PDEVICE_OBJECT DeviceObject;ULONG Flags;//// The following section describes where the driver is loaded. The count// field is used to count the number of times the driver has had its// registered reinitialization routine invoked.// PVOID DriverStart; //Start address of drive object ULONG DriverSize; //size of the drive object PVOID DriverSection; //drive object structure. It can be parsed as_LDR_DATA_TABLE_ENTRY is a linked list that stores the next driver object PDRIVER_EXTENSION DriverExtension; //driver extension information. We can customize our data storage. //// The driver name field is used by the error log thread// determine the name of the driver that an I/O request is/was bound.// UNICODE_STRING DriverName; /// The following section is for registry support. This is a pointer// to the path to the hardware information in the registry//PUNICODE_STRING HardwareDatabase;//// The following section contains the optional pointer to an array of// alternate entry points to a driver for "fast I/O" support. Fast I/O// is performed by invoking the driver routine directly with separate// parameters, rather than using the standard IRP call mechanism. Note// that these functions may only be used for synchronous I/O, and when// the file is cached.// PFAST_IO_DISPATCH FastIoDispatch;PDRIVER_INITIALIZE DriverInit;PDRIVER_STARTIO DriverStartIo;PDRIVER_UNLOAD DriverUnload; //unload address of the drive object PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];} DRIVER_OBJECT;typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;1.2 Output code Output basic drive object information #include VOID MyDriverUnLoad( _In_ struct _DRIVER_OBJECT* DriverObject){ DbgPrint("Driver unloaded\r\n");}extern "C" NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath){ ULONG64 uImage = 0; DriverObject->DriverUnload = MyDriverUnLoad; DbgPrint("Driver loaded start printout\r\n"); DbgPrint("DriverName = %wZ \r\n", DriverObject->DriverName); DbgPrint("Drive Start Address %x Size %x End Address %x\r\n", DriverObject->DriverStart, DriverObject->DriverSize, uImage = ((ULONG64)DriverObject->DriverStart + DriverObject->DriverSize)); DbgPrint("DriverObject Unload Address = %p\r\n", DriverObject->DriverUnload); //Output all callback addresses of the DriverObject. DbgPrint("IoControl Callback Address of DriverObject = %p\r\n", DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]); DbgPrint("DriverObject's read callback address = %p\r\n",DriverObject->MajorFunction[IRP_MJ_READ]); DbgPrint("DriverObject's write callback address = %p\r\n",DriverObject->MajorFunction[IRP_MJ_WRITE]); DbgPrint("DriverObject creation callback address = %p\r\n",DriverObject->MajorFunction[IRP_MJ_CREATE]); DbgPrint("DriverObject's Close Callback Address = %p\r\n",DriverObject->MajorFunction[IRP_MJ_CLOSE]); DbgPrint("-------Traverse callback output----------\r\n"); //macro Find for (auto i = 0; i) from DrverObject object

MajorFunction[i]); } DbgPrint("Execution of all functions completed"); return STATUS_SUCCESS;}1.3 Results

"How to get ntoskrnl.exe base address" content is introduced here, thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.