Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

KPRCB IdleThread Scandown

Size: 17 bytes
Compat: All

The base address of nt can also be found by looking at the IdleThread attribute of the KPRCB for the current KPCR. As it stands, this attribute always appears to point to a global variable inside of nt. Just like the IDT scandown approach, this technique uses the symbol as a starting point to walk down and find the base address of nt by looking for the MZ checksum. The following disassembly shows how this is accomplished:

00000000  A12CF1DFFF        mov eax,[0xffdff12c]
00000005  662501F0          and ax,0xf001
00000009  48                dec eax
0000000A  6681384D5A        cmp word [eax],0x5a4d
0000000F  75F4              jnz 0x5

This approach will fail if it happens that the IdleThread attribute does not point somewhere within nt, but thus far a scenario such as this has not been observed. It would also fail if the Kprcb attribute was not found immediately after the Kpcr, but this has not been observed in testing.