I need to know the base addresses where nt and win32k are loaded. I can find out this information by booting the system with kernel debugging enabled, start a kernel debug session, and run the command lm to get a list of the loaded modules.
What I want to do is programmatically determine where these two modules are loaded without booting into debug mode and using the kernel debugger. I need the base addresses for resolving syscalls in an Event Tracing for Windows log file.
The system I am working on is running Windows Server 2008 R2.
The list of loaded kernel modules and base addresses (including ntoskrnl) is stored in the list pointed by PsLoadedModuleList symbol.
Or use ZwQuerySystemInformation(SystemModuleInformation) instead.
For detailed information see http://alter.org.ua/docs/nt_kernel/procaddr/