Re: Dynamically loading binaries in Kernel mode.

Hi Luis,

You do not need allocate memory and read file in,maybe the following
code can help you. The functio protype is come from Gary Nebbett's book
Windows NT/2000 Native API, but Gary made a mistake there for the
SYSTEM_LOAD_IMAGE struct. Also, when run on Windows XP, the size of
the struct is different depend on the service pack.

As to the PE parsing, It is a little tedious so you can find them
otherwhere.

Note: The code is tested only on Windows xp, with and without SP1/SP2.

typedef struct _SYSTEM_LOAD_IMAGE { // Information Class 26
UNICODE_STRING ModuleName;
PVOID ModuleBase;
PVOID ModuleSection; //Lihw. ModuleSection is used to free the
image
PVOID EntryPoint;
PVOID ExportDirectory;
PVOID DummyForSP; //Lihw. XP sp2 use extra field
} SYSTEM_LOAD_IMAGE, *PSYSTEM_LOAD_IMAGE;

HANDLE LoadModule(IN PCWSTR pModName,OUT PVOID* pImageBase)
/*

Load specified module into kernel address space

Para:
pModName: Unicode string point to absolute path

return:
NULL if failed
ModuleSection if success, which can be used later as input para to
FreeModule.
*/
{
SYSTEM_LOAD_IMAGE sli;
NTSTATUS ret;
ULONG ulStructSize = sizeof(SYSTEM_LOAD_IMAGE);

RtlZeroMemory(&sli,sizeof(SYSTEM_LOAD_IMAGE));

RtlInitUnicodeString(&sli.ModuleName,pModName);

//Get windows version to determine the size of SYSTEM_LOAD_IMAGE
struct.
RTL_OSVERSIONINFOEXW ver;
ver.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
RtlGetVersion((PRTL_OSVERSIONINFOW)&ver);

if (ver.wServicePackMajor == 0)
ulStructSize = offsetof(SYSTEM_LOAD_IMAGE,DummyForSP);

if ((ret = ZwSetSystemInformation(SystemLoadImage,&sli,ulStructSize))
!=STATUS_SUCCESS )
{
TRACE("LoadModule failed\n Ret=%x\n",ret);
return NULL;
}

*pImageBase = sli.ModuleBase;

return sli.ModuleSection;
}

Jerry Lee

.

Relevant Pages

  • [Full-disclosure] Windows XP/2000/SMB server/NT Denial of Service attack
    ... According to Microsoft the following tool does nothing to Windows ... The attack was done locally and remotely. ... up for me on a DS3 connection in which I sent the attack from my ... struct tcp_hdr { ...
    (Full-Disclosure)
  • Windows XP/NT/SMB2003/2000 Denial of Service attack
    ... According to Microsoft the following tool does nothing to Windows ... The attack was done locally and remotely. ... up for me on a DS3 connection in which I sent the attack from my ... struct tcp_hdr { ...
    (Bugtraq)
  • Re: Programmers unpaid overtime.
    ... So now you claim your C source code is deliberately obfuscated? ... > As I do hope you are aware, a Turing machine can run Windows 2000 as ... > quintuples, the Turing machine is given enough time and the privilege, ... I didn't show you a four-line struct. ...
    (comp.programming)
  • Re: recv function
    ... > We have 2 systems one running windows and another runing QNX realtime OS. ... and GetSpectrum gets the spectrum if the time interval is ... > GetSpectrum deals with struct that is 4156 bytes. ...
    (microsoft.public.win32.programmer.networks)
  • Re: about the proto of WZCQueryInterface(*,*,*,*)?
    ... was changed and that caused that CE and XP SP2 have different struct now. ... Obviously if you disable interface for WZC you have to supply your own ... > Correct that from windows CE but if you disassembled dll you can check ...
    (microsoft.public.win32.programmer.networks)
Loading