Finding Ntoskrnl.exe Base Address

One of the pre-requisites to nearly all user-mode payloads on Windows is a stub that is responsible for locating the base address of kernel32.dll. In kernel-mode, the logical equivalent to kernel32.dll is ntoskrnl.exe, also known more succinctly as nt. The purpose of nt is to implement the heart of the kernel itself and to provide the core library interface to device drivers. For that reason, a lot of the routines that are exported by nt may be of use to kernel-mode payloads. This makes locating the base address of nt important because it is what facilitates the resolving of exported symbols. This section will describe a few techniques that can be used to locate the base address of nt.

One general technique that is taken to find the base address of nt is to reliably locate a pointer that exists somewhere within the memory mapping for nt and to scan down toward lower addresses until the MZ checksum is found. This technique will be referred to as a scandown technique since it involves scanning downward toward lower addresses^3.1. In the implementations provided below, each makes use of an optimization to walk down in PAGE_SIZE decrements. However, this also adds four bytes to the amount of space taken up by the stub. If size is a concern, walking down byte-by-byte as is done in the eEye paper can be a great way to save space.

Another thing to keep in mind with some of these implementations is that they may fail if the /3GB boot flag is specified. This is not generally very common, but it could be something that is encountered in the real world.

• IDT Scandown
• KPRCB IdleThread Scandown
• SYSENTER_EIP_MSR Scandown
• Known Portable Base Scandown