General
Reply With QuotePsSetLoadImageNotifyRoutine(LoadImageNotifyCallBac k);
VOID LoadImageNotifyCallBack(
IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId, // where image is mapped
IN PIMAGE_INFO ImageInfo
);
https://msdn.microsof*****m/en-us/library/ff559957.aspx
Or
PHYSICAL_ADDRESS MmGetPhysicalAddress(
__in PVOID BaseAddress
);
https://msdn.microsof*****m/en-us/libr...=VS.85%29.aspx
This was one of the reasons I gave up on drivers cause the documentation sucks and google has few results
Thread: Absolute address
Results 1 to 7 of 7
-
01-13-2011 #1Expert Member
- Join Date
- Sep 2010
- Gender
- Posts
- 733
- Reputation
180- Thanks
- 880
- My Mood
-
Absolute address
This may be a very stupid question, but I've no idea where to find the answer so if you guys could help me out I'd be very great full.
Does anyone know how to get the absolute address of a running image in memory?
Assume that I have all the data available about this program (PE, size, path, name, register you name it)
Any api's to help me find the correct address?
(I'm not injected, and I'm in user mode)
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
-
01-13-2011 #2MPGH Addict
- Join Date
- Mar 2008
- Gender
- Location
- Posts
- 3,976
- Reputation
- 343
- Thanks
- 4,320
- My Mood
-
Last edited by Hell_Demon; 01-13-2011 at 01:53 PM.
Ah we-a blaze the fyah, make it bun dem!
-
01-13-2011 #3What is Watson?
- Join Date
- Jul 2009
- Gender
- Location
- Posts
- 4,304
- Reputation
- 170
- Thanks
- 2,203
- My Mood
-
All I know is RVA's, VA's, and Raw Data Offset. What would a Absoulute address be?
"Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and are not clothed. This world in arms is not spending money alone. It is spending the sweat of its laborers, the genius of its scientists, the hopes of its children. The cost of one modern heavy bomber is this: a modern brick school in more than 30 cities. It is two electric power plants, each serving a town of 60,000 population. It is two fine, fully equipped hospitals. It is some fifty miles of concrete pavement. We pay for a single fighter plane with a half million bushels of wheat. We pay for a single destroyer with new homes that could have housed more than 8,000 people. This is, I repeat, the best way of life to be found on the road the world has been taking. This is not a way of life at all, in any true sense. Under the cloud of threatening war, it is humanity hanging from a cross of iron."- Dwight D. Eisenhower
-
01-13-2011 #4MPGH Addict
- Join Date
- Mar 2008
- Gender
- Location
- Posts
- 3,976
- Reputation
- 343
- Thanks
- 4,320
- My Mood
-
Virtual Address = address relative to the address space of that image in memory(as in 0x00000000 - 0xFFFFFFFF)
Originally Posted by why06
Absolute/Physical(?) address = address relative to how the OS has them loaded, as in if you add enough bytes you're in the address space of the next process.
I guess thats what the OP means at least =3Ah we-a blaze the fyah, make it bun dem!
-
The Following User Says Thank You to Hell_Demon For This Useful Post:
why06 (01-13-2011)
-
01-13-2011 #5What is Watson?
- Join Date
- Jul 2009
- Gender
- Location
- Posts
- 4,304
- Reputation
- 170
- Thanks
- 2,203
- My Mood
-
Oh the real physical address that the kernel manages. why would you need that? I'm sure you might be able to fin it using some undocumented kernel function, but since all programs run in Virtual Memory, and things are move in and out of memory as the kernel sees fit, It's hard to even be sure it will still be there once you find it. =/
"Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and are not clothed. This world in arms is not spending money alone. It is spending the sweat of its laborers, the genius of its scientists, the hopes of its children. The cost of one modern heavy bomber is this: a modern brick school in more than 30 cities. It is two electric power plants, each serving a town of 60,000 population. It is two fine, fully equipped hospitals. It is some fifty miles of concrete pavement. We pay for a single fighter plane with a half million bushels of wheat. We pay for a single destroyer with new homes that could have housed more than 8,000 people. This is, I repeat, the best way of life to be found on the road the world has been taking. This is not a way of life at all, in any true sense. Under the cloud of threatening war, it is humanity hanging from a cross of iron."- Dwight D. Eisenhower
-
The Following User Says Thank You to why06 For This Useful Post:
Hell_Demon (01-14-2011)
-
01-14-2011 #6
ThreadstarterExpert Member
- Join Date
- Sep 2010
- Gender
- Posts
- 733
- Reputation
- 180
- Thanks
- 880
- My Mood
-
(I'm not injected, and I'm in user mode) Originally Posted by Hell_Demon
PsSetLoadImageNotifyRoutine(LoadImageNotifyCallBac k);
VOID LoadImageNotifyCallBack(
IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId, // where image is mapped
IN PIMAGE_INFO ImageInfo
);
PsSetLoadImageNotifyRoutine (Windows Driver Kit)
Or
PHYSICAL_ADDRESS MmGetPhysicalAddress(
__in PVOID BaseAddress
);
MmGetPhysicalAddress (Windows Driver Kit)
This was one of the reasons I gave up on drivers cause the documentation sucks and google has few results
But I'll look them up for kernel mode
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
-
01-14-2011 #7MPGH Addict
- Join Date
- Mar 2008
- Gender
- Location
- Posts
- 3,976
- Reputation
- 343
- Thanks
- 4,320
- My Mood
-
Page table - Wikipedia, the free encyclopedia that might be interesting as well =3
Ah we-a blaze the fyah, make it bun dem!