KevUtilAddressToFileHeader

By Michael Schöbel

To resolve an arbitrary address to get the module (program or driver) this address belongs to, you could traverse the PsLoadedModuleList by hand. Or you use KevUtilAddressToFileHeader (defined in base/ntos/ke/kevutil.c).


An example: you want to monitor thread creation activities. The thread datastructure (ETHREAD) contains a PVOID entry StartAddress which points to the code the thread executes. How can this address be resolved? Which function is actually executed?

To answer this questions the KevUtilAddressToFileHeader function can be used.

NTSTATUS
KevUtilAddressToFileHeader(
    IN  PVOID                   Address,
    OUT UINT_PTR                *OffsetIntoImage,
    OUT PUNICODE_STRING         *DriverName,
    OUT BOOLEAN                 *InVerifierList
    )
 
/*++
 
Routine Description:
 
    This function returns the name of a driver based on the specified
    Address. In addition, the offset into the driver is returned along
    with an indication as to whether the driver is among the list of those
    being verified.
 
Arguments:
 
    Address         - Supplies an address to resolve to a driver name.
 
    OffsetIntoImage - Receives the offset relative to the base of the driver.
 
    DriverName      - Receives a pointer to the name of the driver.
 
    InVerifierList  - Receives TRUE if the driver is in the verifier list,
                      FALSE otherwise.
 
Return Value:
 
    NTSTATUS (On failure, OffsetIntoImage receives NULL, DriverName receives
              NULL, and InVerifierList receives FALSE).
 
--*/

The following code snippet can be used to show the module/driver name on the debug console. The OffsetIntoImage value could be used to identify the executed function.

UINT_PTR OffsetIntoImage;
PUNICODE_STRING DriverName;
BOOLEAN InVerifierList;
 
...
 
if (NT_SUCCESS(KevUtilAddressToFileHeader(
    Thread->StartAddress,
    &OffsetIntoImage,
    &DriverName,
    &InVerifierList))) {
 
DbgPrint("thread start address - 0x%p [%ws 0x%p]n",
    Thread->StartAddress,
    DriverName->Buffer,
    OffsetIntoImage);
 
}

Comments

Comments are closed.