hi i will dump the other process in kernel driver
and use KeStackAttachProcess to change driver current context
after user-mode address changed how can find base address of current process i need base address for cast it to PIMAGE_DOS_HEADER( and parse it to find sections) can use PEB?
any other solution?
There is a special API function for that:
NTKERNELAPI
PVOID
PsGetProcessSectionBaseAddress(
__in PEPROCESS Process
);
And you can use SectionBaseAddress field in the EPROCESS structure:
+0x128 SectionBaseAddress : 0x00400000 Void
It may vary in different OS versions.