flat assembler
Message board for the users of flat assembler.

Index > Windows > Finding ntdll in kernel land

Author
Thread Post new topic Reply to topic
Apolo



Joined: 18 Mar 2017
Posts: 23
Apolo 24 Mar 2017, 07:13
How to find ntdll base address in kernel mode?
Post 24 Mar 2017, 07:13
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20414
Location: In your JS exploiting you and your system
revolution 24 Mar 2017, 08:47
You can link to it in your code and use the linked addresses. This is the same for any DLL in user or kernel space.

Another way is the standard GetProcAddress/LoadLibrary APIs.
Post 24 Mar 2017, 08:47
View user's profile Send private message Visit poster's website Reply with quote
Apolo



Joined: 18 Mar 2017
Posts: 23
Apolo 24 Mar 2017, 09:22
No! I want to get the ntdll base with the PEB structure in kernel land. How to access PEB structure in kernel land with the GS register?
Post 24 Mar 2017, 09:22
View user's profile Send private message Reply with quote
Apolo



Joined: 18 Mar 2017
Posts: 23
Apolo 24 Mar 2017, 19:13
I wait with impatience for your answer.
Post 24 Mar 2017, 19:13
View user's profile Send private message Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 501
Location: Belarus
zhak 24 Mar 2017, 20:56
Why don't you use search on the Internet? There's plenty of information there. Here, could be a starting point for you https://sites.google.com/site/x64lab/home/notes-on-x64-windows-gui-programming/exploring-peb-process-environment-block
Post 24 Mar 2017, 20:56
View user's profile Send private message Reply with quote
Apolo



Joined: 18 Mar 2017
Posts: 23
Apolo 25 Mar 2017, 04:23
I already search on google but I can't found how access PEB from kernel mode. The article above is to access PEB from user mode not ftom kernel mode. How to access EPROCESS to access PEB in EPROCESS with the GS register?
Post 25 Mar 2017, 04:23
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 26 Mar 2017, 05:33
Ask on osronline.com
Post 26 Mar 2017, 05:33
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 2543
Furs 26 Mar 2017, 12:36
Apolo, no reason to get so mad at people. Most of us haven't done kernel or that kind of low level programming, so we don't know. I think this section is for userspace to begin with Confused
Post 26 Mar 2017, 12:36
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.