#include <Windows.h>
#include <iostream>
typedef struct _SYSTEM_MODULE {
ULONG Reserved1;
ULONG Reserved2;
PVOID ImageBaseAddress;
ULONG ImageSize;
ULONG Flags;
WORD Id;
WORD Rank;
WORD w018;
WORD NameOffset;
BYTE Name[255];
} SYSTEM_MODULE, *PSYSTEM_MODULE;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG ModulesCount;
SYSTEM_MODULE Modules[0];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef NTSTATUS (NTAPI *_NtQuerySystemInformation) (
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength OPTIONAL
);
BOOL GetKernelBase()
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
ULONG i,len;
NTSTATUS ret;
HMODULE ntdllHandle;
ntdllHandle = GetModuleHandle(L"ntdll");
if (!ntdllHandle)
return false;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(ntdllHandle,"NtQuerySystemInformation");
if (!NtQuerySystemInformation)
return false;
NtQuerySystemInformation(11,NULL,0,&len);
pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
NtQuerySystemInformation(11,pModuleInfo,len,&len);
for (i=0;i<pModuleInfo->ModulesCount;i++)
{
if (strcmp((const char*)pModuleInfo->Modules[i].Name,"\\SystemRoot\\system32\\ntoskrnl.exe") == 0)
printf("[*] Driver Entry: %s at %p\n",pModuleInfo->Modules[i].Name,pModuleInfo->Modules[i].ImageBaseAddress);
}
return true;
}
int main()
{
GetKernelBase();
system("pause");
return 0;
}