| Current | v9 | v8 | v7 | v6 | v5 | v4 | v3 | v2 | v1 | All | About |
Next: SYSENTER_EIP_MSR Scandown
Up: Finding Ntoskrnl.exe Base Address
Previous: IDT Scandown
Contents
KPRCB IdleThread Scandown
| Size: | 17 bytes |
|---|---|
| Compat: | All |
The base address of nt can also be found by looking at the IdleThread attribute of the KPRCB for the current KPCR. As it stands, this attribute always appears to point to a global variable inside of nt. Just like the IDT scandown approach, this technique uses the symbol as a starting point to walk down and find the base address of nt by looking for the MZ checksum. The following disassembly shows how this is accomplished:
00000000 A12CF1DFFF mov eax,[0xffdff12c] 00000005 662501F0 and ax,0xf001 00000009 48 dec eax 0000000A 6681384D5A cmp word [eax],0x5a4d 0000000F 75F4 jnz 0x5
This approach will fail if it happens that the IdleThread
attribute does not point somewhere within nt, but thus far
a scenario such as this has not been observed. It would also fail
if the Kprcb attribute was not found immediately after the
Kpcr, but this has not been observed in testing.