Re: Difference between base address of kernel modules and their image address

Thanks, all, for your helps.

"David Craig" <drivers@xxxxxxxxxx> wrote in message
news:uEy8Q%234sIHA.3604@xxxxxxxxxxxxxxxxxxxxxxx
Maybe with the new multiple load addresses chosen randomly, some logic to
know where something is loaded is needed to write viral code. It might
also be useful for some security software that use techniques you don't
approve of, such as hooking.

"Don Burn" <burn@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:OFTiFM3sIHA.2068@xxxxxxxxxxxxxxxxxxxxxxx
Use GetModuleInformation in user space. In the kernel the
PsLoadImageNotifyCallback will give you the actual address. Why do you
want this information, it is a rare program that uses it.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply



"None" <none@xxxxxxxx> wrote in message
news:umzxDG3sIHA.2292@xxxxxxxxxxxxxxxxxxxxxxx
Thanks both. If imagebase is just advisory, how can I determine the real
address where a module (e.g. user32.dll) is loaded into a user mode
process?

""Jeffrey Tan[MSFT]"" <jetan@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:BOrJ6KbsIHA.1788@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

Don has explained that the "Image Base" in the driver PE files are not
used
in kernel-mode, the OS kernel will dynamically relocated.

Yes, kernel modules are modules running in kernel mode.

Windows normally use two modes of the modern CPU: user-mode(ring3 of
x86)
and kernel-mode(ring0 of x86). Only kernel-mode can direct access
hardware
and other sensitive OS memories/resources. Windows use the kernel-mode
address space(above 2G in 32bit Windows) for the code running in the
CPU
kernel mode. Device drivers normally run in this mode to drive real
device.
So kernel mode modules normally indicate the kernel-mode device
drivers(with address larger than 2G in 32bit Windows).

Kernel32.dll and user32.dll are both user-mode libraries(with address
less
than 2G in 32bit Windows) to expose Win32 APIs. They are required for
Win32
subsystem. These modules call into the native APIs in ntdll.dll(another
user-mode library). Finally, ntdll.dll native APIs interrupt to the
kernel-mode OS services. So kernel32 and user32 are user-mode modules
not
kernel-mode modules.

DDK document and <Windows Internals> book are best resource for these
concepts. Thanks

Best regards,
Jeffrey Tan
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments
and
suggestions about how we can improve the support we provide to you.
Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach
the
most efficient resolution. The offering is not appropriate for
situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are
best
handled working with a dedicated Microsoft Support Engineer by
contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.











.

Relevant Pages
Quantcast