Closed MrT-1 closed 4 years ago
ufrisk
commented
4 years ago In the current version this is unfortunately not possible. the win32k* modules are not mapped into system (pid 4) kernel address space; and there is no setting to access kernel address space in ordinary user-mode processes in the current version. I plan to add support for this in the next version; but it's likely to be some time away before I'll be able to publish it.
ufrisk
commented
4 years ago This should now be possible,
VMMDLL_MAP_MODULEENTRY ModuleMapEntry;
VMMDLL_ProcessMap_GetModuleFromName(4, L"win32k.sys", &ModuleMapEntry);win32k.sys is not mapped into the memory space of the system process, but it's mapped into most user processes like csrss.exe or explorer.exe - but in kernel part of memory that MemProcFS usually hides for usability reasons. I added the VMMDLL_PID_PROCESS_WITH_KERNELMEMORY flag to override this behavior.
One way of doing it is to use the PDB symbol subsystem; it will download the appropriate PDB's from Microsoft symbol server. You may also use the VMMDLL_PID_PROCESS_WITH_KERNELMEMORY flag when reading memory or retrieving exported functions. But for this example let's use the PDB. Let's say your targeted process have the pid 123, then do:
2.
ULONG64 vaSymbolAddress = 0;
CHAR szModuleName[MAX_PATH] = {0};
VMMDLL_PdbLoad(123 | VMMDLL_PID_PROCESS_WITH_KERNELMEMORY, ModuleMapEntry.vaBase, szModuleName);
VMMDLL_PdbSymbolAddress(szModuleName, "gafAsyncKeyState", &vaSymbolAddress);I simplified the above a bit, obviously the return values and such should be checked for errors; anyway; please do let me know if you still should have issues with this.
Otherwise I wish to thank you for this really awesome enhancement suggestion. Thank You 👍
is it posssible to do the equivalent of this?
GetProcAddress(LoadLibrary(L"win32kbase.sys"), "gafAsyncKeyState");