[madaboo]

Hi,

Is it possible to load exe/dll file in kernlemode like LoadLibrary() is in userland?
Same question according to GetProcAddress()?

Thank you.

[frank_boldewin]

MmGetSystemRoutineAddress might be, what you are looking for.

UNICODE_STRING uLibName;
RtlInitUnicodeString (&uLibName, LibName);
return MmGetSystemRoutineAddress (&uLibName);

[rkhunter]

MmGetSystemRoutineAddress could check export functions only in ntoskrnl and hal; and it can not load PE images as opposed to LoadLibrary.

[madaboo]

Guys thank you, but my problem is - I need to something like LoadLibrary() - how about using MapViewOfSection or somethin?

[rkhunter]

You want to load PE-file for execute in kernel mode?

[madaboo]

not for execution. for analysis.. e.g to analyse unexported symbols from kernel img.
any ideas how to do this?

[rkhunter]

ZwCreateFile/ZwCreateSection/ZwMapViewOfSection and next analysis EAT.

Code: Select all

OBJECT_ATTRIBUTES ObjectAttributes;
ULONG SectionType = SEC_IMAGE;
PVOID ViewBase = NULL;
ULONG ViewSize = 0;
HANDLE ImageFileHandle = NULL; //-real handle

InitializeObjectAttributes (&ObjectAttributes, NULL, (OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE), NULL, NULL);

Status = ZwCreateSection (&Section, SECTION_ALL_ACCESS, &ObjectAttributes, NULL, PAGE_READONLY, SectionType, ImageFileHandle);

if ( NT_SUCCESS (Status) ) 
{
    ViewBase = NULL;
    ViewSize = 0;

    Status = ZwMapViewOfSection (Section, NtCurrentProcess (), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare,
                                                    0L, PAGE_READONLY);
}