How do I get the address to kernel modules nt and win32k?

Question

I need to know the base addresses where nt and win32k are loaded. I can find out this information by booting the system with kernel debugging enabled, start a kernel debug session, and run the command lm to get a list of the loaded modules.

What I want to do is programmatically determine where these two modules are loaded without booting into debug mode and using the kernel debugger. I need the base addresses for resolving syscalls in an Event Tracing for Windows log file.

The system I am working on is running Windows Server 2008 R2.

https://www.nirsoft.net/utils/driverview.html – Lewis Kelsey Mar 14 '21 at 15:38 — Lewis Kelsey, Mar 14 '21 at 15:38

score 12 · Accepted Answer · edited Mar 14 '21 at 15:47

12

The list of loaded kernel modules and base addresses (including ntoskrnl) is stored in the list pointed by PsLoadedModuleList symbol. Or use ZwQuerySystemInformation(SystemModuleInformation) instead.

For detailed information see http://alter.org.ua/docs/nt_kernel/procaddr/

edited Mar 14 '21 at 15:47

Lewis Kelsey

4,129
1
32
42

answered May 21 '12 at 19:30

Xearinox

3,224
2
24
38

Excellent. Thank you for the reference. This solution is great because it is useful for both kernel-mode and user-mode. Researching your answer also lead me to 2 other API calls, EnumDeviceDrivers and GetDeviceDriverBaseName that look like they accomplish the same thing. – canzar May 24 '12 at 14:32

How do I get the address to kernel modules nt and win32k?

1 Answers1