Hello for what I am doing I need to obtain the address of an exported procedure in a exe/dll file. Basically I need to take the file ntoskrnl.exe or ntkrnlpa.exe, and find the default address of some functions. These files always have the default base so I'm not worried about them being rebased.

Here is what I want to do:
1. Read the file ntoskrnl.exe/ntkrnlpa.exe into memory
2. Calculate the address in memory that these functions will occupy.

I know what address these functions should occupy from an SSDT viewer tool but I don't want to hardcode these as that method is not portable. Does anyone have fasm code (or nasm/masm code, I can convert that) for doing that? I remember some C code somewhere to do that but I need assembler code now.

If I made a mistake in my post please tell me, I have never written code to analyze the structure of PE files.

What do you need this for? In almost every normal case, there is no need to do hackery like this.

I tried an alternative approach using windows api functions here http://board.flatassembler.net/topic.php?t=11751, but it isn't working for ntoskrnl.exe/ntkrnlpa.exe. I think I need to manually get the data from the PE file for these files as the alternative approach isn't working.

Are you going to patch NTOSKRNL.EXE? Do you need the address of procedure within file? or in memory?

What's the purpose of this?

Anyway, read up on the PE file format and the export directory.

under win2008 server R2 x64 (=win7) the nt kernel is loaded at different address every reboot (and I guess this is the same in win2008 server x64 = vista)
KdSystemDebugControl with command SysDbgQueryVersion=7 returns some info including the address of nt kernel - you need a driver to obtain it

Just use IDA