[madaboo]

Hello!

What is the easiest way to get know what is kernel base virtual - I mean what is base address of ntoskrnl.exe loaded by system (windbg: lm -> start address for nt module)?
I thnik that ZwQuerySystemInformation could be useful, but is there any other way (documented or undocumented)?

[Alex]

Getting the start and end address of nt
_DRIVER_SECTION/_MODULE_ENTRY

Please use search button next time...

[frank_boldewin]

if you want to avoid static addresses u can use SIDT instruction. DWORD[IDT+4] points into NTOSKRNL memory. then decrement until 0x00905a4d is found.

[Alex]

If someone is interested in such method, this and few more have been described in this paper - Kernel-mode Payloads on Windows.

[_Lynn]

personally I use ZwQuerySystemInformation, the first module in the SYSTEM_MODULE buffer is ntoskrnl.