KevUtilAddressToFileHeader
Windows Research Kernel @ HPITo resolve an arbitrary address to get the module (program or
driver) this address belongs to, you could traverse the
PsLoadedModuleList by hand. Or you use
KevUtilAddressToFileHeader (defined in
base/ntos/ke/kevutil.c).
An example: you want to monitor thread creation activities. The
thread datastructure (ETHREAD) contains a PVOID entry
StartAddress which points to the code the thread
executes. How can this address be resolved? Which function is
actually executed?
To answer this questions the KevUtilAddressToFileHeader function can be used.
NTSTATUS KevUtilAddressToFileHeader( IN PVOID Address, OUT UINT_PTR *OffsetIntoImage, OUT PUNICODE_STRING *DriverName, OUT BOOLEAN *InVerifierList ) /*++ Routine Description: This function returns the name of a driver based on the specified Address. In addition, the offset into the driver is returned along with an indication as to whether the driver is among the list of those being verified. Arguments: Address - Supplies an address to resolve to a driver name. OffsetIntoImage - Receives the offset relative to the base of the driver. DriverName - Receives a pointer to the name of the driver. InVerifierList - Receives TRUE if the driver is in the verifier list, FALSE otherwise. Return Value: NTSTATUS (On failure, OffsetIntoImage receives NULL, DriverName receives NULL, and InVerifierList receives FALSE). --*/
The following code snippet can be used to show the module/driver
name on the debug console. The OffsetIntoImage value
could be used to identify the executed function.
UINT_PTR OffsetIntoImage; PUNICODE_STRING DriverName; BOOLEAN InVerifierList; ... if (NT_SUCCESS(KevUtilAddressToFileHeader( Thread->StartAddress, &OffsetIntoImage, &DriverName, &InVerifierList))) { DbgPrint("thread start address - 0x%p [%ws 0x%p]n", Thread->StartAddress, DriverName->Buffer, OffsetIntoImage); }
Comments
Comments are closed.