I've wrote some pieces of code which is used to reload a PE module into arbitrary address, and below is the memory that the code reload ntoskrnl.exe of windows kernel:
kd> lm
start end module name
83c14000 84018000 nt (pdb symbols) \\vboxsvr\symbols\ntkrnlmp.pdb\00625D7D36754CBEBA4533BA9A0F3FE22\ntkrnlmp.pdb
899e1000 899e1000 nt_ffffffff899e1000 T (pdb symbols) \\vboxsvr\sharedfolder\nt.pdb
......
Address 0x83c14000 is the original ntoskrnl.exe and 0x899e1000 is the new loaded one, 2 addresses contains same binary data:
kd> dc 83c14000 L20
83c14000 00905a4d 00000003 00000004 0000ffff MZ..............
83c14010 000000b8 00000000 00000040 00000000 ........@.......
83c14020 00000000 00000000 00000000 00000000 ................
83c14030 00000000 00000000 00000000 00000278 ............x...
83c14040 0eba1f0e cd09b400 4c01b821 685421cd ........!..L.!Th
83c14050 70207369 72676f72 63206d61 6f6e6e61 is program canno
83c14060 65622074 6e757220 206e6920 20534f44 t be run in DOS
83c14070 65646f6d 0a0d0d2e 00000024 00000000 mode....$.......
kd> dc 899e1000 L20
899e1000 00905a4d 00000003 00000004 0000ffff MZ..............
899e1010 000000b8 00000000 00000040 00000000 ........@.......
899e1020 00000000 00000000 00000000 00000000 ................
899e1030 00000000 00000000 00000000 00000278 ............x...
899e1040 0eba1f0e cd09b400 4c01b821 685421cd ........!..L.!Th
899e1050 70207369 72676f72 63206d61 6f6e6e61 is program canno
899e1060 65622074 6e757220 206e6920 20534f44 t be run in DOS
899e1070 65646f6d 0a0d0d2e 00000024 00000000 mode....$.......
The \\vboxsvr\symbols\ntkrnlmp.pdb\00625D7D36754CBEBA4533BA9A0F3FE22\ntkrnlmp.pdb and \\vboxsvr\sharedfolder\nt.pdb are same file, I just copied it into two difference places in order to use it.
The prolbem is: the reload kernel can not display correct symbol names.
Here is the evidence.
Show original ZwCreateFile codes:
kd> u ZwCreateFile L5
nt!ZwCreateFile:
83c47300 b842000000 mov eax,42h
83c47305 8d542404 lea edx,[esp+4]
83c47309 9c pushfd
83c4730a 6a08 push 8
83c4730c e86d230000 call nt!KiSystemService (83c4967e)
Which seems all good, then I caculated the offset of this function:
kd> ?83c47300-83c14000 // original function offset in ntoskrnl.exe
Evaluate expression: 209664 = 00033300
kd> ?899e1000+00033300 // function address in reloaded ntoskrnl.exe (0x899e1000 is new base address, see above)
Evaluate expression: -1985920256 = 89a14300
Check the "new" function at 0x89a14300:
kd> u 89a14300 L5
ReadVirtual: 89a14300 not properly sign extended
89a14300 b842000000 mov eax,42h
89a14305 8d542404 lea edx,[esp+4]
89a14309 9c pushfd
89a1430a 6a08 push 8
89a1430c e86d230000 call 89a1667e
They have same OP code, except the call instruction. Original displayed with correct symbolic name nt!KiSystemService but the new reloaded one is not (just displayed a raw adress).
I caculated the offset again:
kd> ?83c4967e-83c14000
Evaluate expression: 218750 = 0003567e
kd> ?89a1667e-899e1000
Evaluate expression: 218750 = 0003567e
The call instruction's offset is equal.
What am I wrong ? I want the reloaded module displays with correct symbolic name ...
The magic is hidden here:
kd> lm
start end module name
83c14000 84018000 nt (pdb symbols) \\vboxsvr\symbols\ntkrnlmp.pdb\00625D7D36754CBEBA4533BA9A0F3FE22\ntkrnlmp.pdb
899e1000 899e1000 nt_ffffffff899e1000 T (pdb symbols) \\vboxsvr\sharedfolder\nt.pdb
......
Original nt module end address is 84018000, but the new loaded module's end address qeuals its start address, so we need reload new module with this command:
.reload /i nt=899e1000,404000
After we indicated the correct size of new loaded module, all symbols worked:
kd> lmol
start end module name
83c14000 84018000 nt (pdb symbols) \\vboxsvr\sharedfolder\ntkrnlmp.pdb
899e1000 89de5000 ntkrnlmp (pdb symbols) \\vboxsvr\sharedfolder\ntkrnlmp.pdb
92cb8000 92cfb000 petool (private pdb symbols) x:\test\petool\build\objchk_win7_x86\i386\petool.pdb
kd> u nt!ZwCreateFile L5
nt!ZwCreateFile:
83c47300 b842000000 mov eax,42h
83c47305 8d542404 lea edx,[esp+4]
83c47309 9c pushfd
83c4730a 6a08 push 8
83c4730c e86d230000 call nt!KiSystemService (83c4967e)
kd> ?83c47300-83c14000+899e1000
Evaluate expression: -1985920256 = 89a14300
kd> u 89a14300 L5
89a14300 b842000000 mov eax,42h
89a14305 8d542404 lea edx,[esp+4]
89a14309 9c pushfd
89a1430a 6a08 push 8
89a1430c e86d230000 call ntkrnlmp!KiSystemService (89a1667e)
kd> u ntkrnlmp!ZwCreateFile L5
ntkrnlmp!ZwCreateFile:
89a14300 b842000000 mov eax,42h
89a14305 8d542404 lea edx,[esp+4]
89a14309 9c pushfd
89a1430a 6a08 push 8
89a1430c e86d230000 call ntkrnlmp!KiSystemService (89a1667e)