I have a strange problem.
I want to walk IAT of NTOSKRNL.EXE in kernel-mode.
I get the base address of NTOSKRNL.EXE correctly.
But pImportTable is not a valid address, why?
					
										
																										
            I want to walk IAT of NTOSKRNL.EXE in kernel-mode.
I get the base address of NTOSKRNL.EXE correctly.
But pImportTable is not a valid address, why?
Code: Select all
VOID NativeGetImportFunctionAddress(SIZE_T uModBase, CHAR *cSearchFnName)
{
	IMAGE_DOS_HEADER *doshdr;
	#ifdef AMD64
	IMAGE_OPTIONAL_HEADER64 *opthdr;
	#else
	IMAGE_OPTIONAL_HEADER32 *opthdr;
	#endif
	PIMAGE_IMPORT_DESCRIPTOR pImportTable;
	PIMAGE_THUNK_DATA pThunk=NULL;
	ULONG dwThunk=0;
	USHORT Hint;
	//
	doshdr = (IMAGE_DOS_HEADER *)uModBase;
	if (NULL == doshdr)
	{
		goto __exit;
	}
	#ifdef AMD64
	opthdr = (IMAGE_OPTIONAL_HEADER64 *)(uModBase + doshdr->e_lfanew + 24); //24=sizeof(ULONG)+sizeof(IMAGE_FILE_HEADER)
	#else
	opthdr = (IMAGE_OPTIONAL_HEADER32 *)(uModBase + doshdr->e_lfanew + 24);
	#endif
	if (NULL == opthdr)
	{
		goto __exit;
	}
	pImportTable = (IMAGE_IMPORT_DESCRIPTOR *)(uModBase + opthdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
	if (NULL == pImportTable)
	{
		goto __exit;
	}
	DbgPrint("pImportTable=%p\n",pImportTable); //This address is not valid.
	/*while ( pImportTable->Characteristics != 0 )
	{
		//DbgPrint("[%s]\n",uModBase + pImportTable->Name);
		//pThunk = ( IMAGE_THUNK_DATA* )(uModBase + pImportTable->FirstThunk );
		//break;
		pImportTable++;
	}*/
__exit:
	return;
}
