[driverobject]

Hi all,

Quick question, what is a way, a recommended way, of finding the start address of the kernel image along with its size?

Thanks..

[Alex]

It depends what for do you need these information. If you are sure that ZwQuerySystemInformation service isn't hooked and data stored by the PsLoadedModuleList list are correct you can use ZwQuerySystemInformation(SystemModuleInformation) or read these data from the PsLoadedModuleList (LDR_DATA_TABLE_ENTRY) directly. You can also find nt address inside KdVersionBlock. Finally you can use one of fallowing methods described in the Windows Kernel-mode Payload Fundamentals article. If nt's PE header isn't destroyed you can use it to obtain image size.

[driverobject]

Thanks Alex, very useful information.

Would it be safe to assume that the image base or module start address will not be changed even if ZwQuerySystemInformation is modified? Based on the fact that this would not be of benefit to the rootkit?

Combining the 2 techniques you have outlined below would the steps below be a logical way to detect modification of the kernel then?

1. Get the image size from the PE image of nt on disk.
2. Get the image size by calling ZwQuerySystemInformation.
3. Compare the two and if there is a difference alert that there is modification.

And in addition to that is there any legit use of NT kernel modification that Microsoft itself would do?

Thanks..

[GamingMasteR]

Internally the windows kernel uses PsLoadedModuleList to obtain modules base and size .