A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #16772  by _MAX_
 Fri Nov 23, 2012 1:13 am
Hello im loading my ntoskrnl image in user space using:
Code: Select all
	hNtOsHandle = LoadLibrary( KernelImageName );
	if ( hNtOsHandle == NULL )
	{
		printf("LoadLibrary()", &err);
		return FALSE;
	}
i can find HalDispatchTable which export by kernel easily but,
How can i locate HalDispatchTable+8 and get the value ?

thanks
 #16782  by _MAX_
 Fri Nov 23, 2012 8:41 am
Code: Select all
fffff800`02a00c30  00000000`00000004
fffff800`02a00c38  00000000`0025f2bc
fffff800`02a00c40  fffff800`02e2d470
fffff800`02a00c48  fffff800`02bfbfa0 nt!ArbAddReserved
fffff800`02a00c50  00000000`00000000
fffff800`02a00c58  fffff800`028d2b90 nt!HalExamineMBR
fffff800`02a00c60  fffff800`02baa2d0 nt!IoReadPartitionTable
fffff800`02a00c68  fffff800`02ba9dbc nt!IoSetPartitionInformation
fffff800`02a00c70  fffff800`02ce9860 nt!IoWritePartitionTable
i want check if fffff800`02a00c38 == 00000000`0025f2bc or Only value of fffff800`02a00c38 ?

thanks but that code seems to just add 0x4 to base address but not value in that address

thanks
 #16785  by EP_X0FF
 Fri Nov 23, 2012 9:34 am
HalDispatchTable is a pointer to structure. See HalInitSystem for example.
 #16786  by _MAX_
 Fri Nov 23, 2012 10:41 am
i think HalDispatchTable+8 is a pointer to xHalQuerySystemInformation which i think exported by ntoskrnl.exe ,so if i GetProcAddress the xHalQuerySystemInformation i will have value of HalDispatchtable8+ 8 pointer
Right?
 #16787  by EP_X0FF
 Fri Nov 23, 2012 10:45 am
This is a question from the category: "how to get data from the pointer referring to the memory location to which it points" ?
 #16788  by _MAX_
 Fri Nov 23, 2012 11:00 am
EP_X0FF wrote:This is a question from the category: "how to get data from the pointer referring to the memory location to which it points" ?
Hehe yes but when im in user-space i cannot read kernel-space memory and i have access violation , thats why i asked if its possible to do that with loading ntoskrnl.exe in user-space so then maybe i can read pointer referring memory location for HalDisPatchTable + 8
So now i think the question is more clear
is xHalQuerySystemInformation exported by ntoskrnl.exe? can i use GetProcAddress()?
How can get data from pointer referring to kernel , but with loaded ntoskrnl.exe in user-space?
 #16802  by EP_X0FF
 Sat Nov 24, 2012 7:55 am
_MAX_ wrote:is xHalQuerySystemInformation exported by ntoskrnl.exe? can i use GetProcAddress()?
No.

What is purpose of this? You want HAL_DISPATCH?

Get a pointer to HalDispatchTable, it all lays near.
Code: Select all
.data:00499070 _HalDispatchTable dd 3
.data:00499074 off_499074      dd offset _xHalQuerySystemInformation@16
.data:00499078 off_499078      dd offset _xHalSetSystemInformation@12
.data:0049907C                 dd offset _xHalQueryBusSlots@16 ; xHalQueryBusSlots(x,x,x,x)
.data:00499080                 db    0
.data:00499081                 db    0
.data:00499082                 db    0
.data:00499083                 db    0
.data:00499084                 dd offset @HalExamineMBR@16 ; HalExamineMBR(x,x,x,x)
.data:00499088                 dd offset @IoAssignDriveLetters@16 ; IoAssignDriveLetters(x,x,x,x)
.data:0049908C                 dd offset @IoReadPartitionTable@16 ; IoReadPartitionTable(x,x,x,x)
.data:00499090                 dd offset @IoSetPartitionInformation@16 ; IoSetPartitionInformation(x,x,x,x)
.data:00499094                 dd offset @IoWritePartitionTable@20 ; IoWritePartitionTable(x,x,x,x,x)
.data:00499098                 dd offset @xHalHandlerForBus@8 ; xHalHandlerForBus(x,x)

.....

 #16805  by _MAX_
 Sat Nov 24, 2012 8:52 am
Get a pointer to HalDispatchTable, it all lays near.
when im in user-space i can get pointer to HalDispatchTable because it exported by ntoskrnl.exe but when i want to read pointers value in which is in kernel address space, i get an access violation error cannot read address ....
 #16806  by EP_X0FF
 Sat Nov 24, 2012 8:56 am
The truth is out there. Can you give are detailed explanation what you want to do, how do, and it seems in relation to this topic http://www.kernelmode.info/forum/viewto ... =14&t=2149.

From what I see now - you have LoadLibrary(ntoskrnl.exe), GetProcAddress(HalDispathTable) and ....? Trying to read kernel mode memory from user mode?