Search code examples
windowswinapikernelreverse-engineeringwindows-kernel

Windows Kernel: Retrieving function addresses inside modules

I am trying to call a function in the kernel that is located in the win32kfull.sys module. I got the base address of the module using ZwQuerySystemInformation. Now I want to find out the offset of the NtUserSendInput function located in the win32kfull.sys module. When I open win32kfull.sys in IDA Pro and open the function, I get two addresses: IDA Pro location of NtUserSendInput

Unfortunately I don't know how to add the offsets to the base address of win32kfull.sys to get the function address.

I would be grateful if someone could explain to me how I could proceed now.

Solution

  • Since NtUserSendInput is an exported function, which means that the PE format of the image (specifically export directory) will let you know the address of the function if you parse it correctly.

    This is a better solution, getting the offset out of IDA Pro would give you version specific address, which means that i would have to get the offset for each build of win32kfull.sys and each time there is new version you gonna have to update your driver.

    So, if you have the base address of win32kfull.sys you can treat it as the start address for the PE structure and parse it, there are plenty of tutorials online about how to do that.