Unexported Windows kernel functions/structures finding method2 minutes read
Many functions and structures are not exported by
nt, such as
KeServiceDescriptorTable and many others.
How can we get virtual addresses of desired functions and/or structures?
There are methods which use pattern matching to find specific functions and/or structures inside that function, but this way of finding is unreliable (due to changes from
MS can break our pattern matching algorithm).
What about using
Debug Help Library from Microsoft? We can access the symbolic debugging information of an image, such as
RVA for desired function/structure and add to address of
Psapi to get an address of
SymFromName to get symbolic information of a function/structure.
I’m assuming that target system does not contain any debugging related executables, such as
.pdb file, which contains debugging inforamtion for
ntoskrnl.exe we need to download it manually using
We can find
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64 on Windows 10,
It’s a good idea to embed all necessary files into main executable and extract them at run-time, we need following additional executables:
Example source code:
Advantages of this method:
- Under right circumstances, we get accurate information.
- Cross-platform ?
Disadvantages of this method:
- We need user-mode process
- We need Internet connection
- Size of user-mode application is quite large due to it contains several executables.
Thank you for your time…