I'm trying to get PIMAGE_NT_HEADERS64 from KernelBase by using RtlImageNtHeader but I keep getting KMODE_EXCEPTION_NOT_HANDLED bsod error message whenever I run the driver. (PS I have already checked and GetKernelBase is not returning nullptr & that GetKernelBase is not causing the BSOD)
How I get KernelBase:
PVOID GetKernelBase(OUT PULONG pSize)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG bytes = 0;
PRTL_PROCESS_MODULES pMods = NULL;
PVOID checkPtr = NULL;
UNICODE_STRING routineName;
PVOID g_KernelBase = nullptr;
ULONG g_KernelSize;
RtlUnicodeStringInit(&routineName, L"NtOpenFile");
checkPtr = MmGetSystemRoutineAddress(&routineName);
if (checkPtr == NULL)
return NULL;
// Protect from UserMode AV
status = ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS::SystemModuleInformation, 0, bytes, &bytes);
if (bytes == 0)
{
DbgPrint("BlackBone: %s: Invalid SystemModuleInformation size\n", __FUNCTION__);
return NULL;
}
pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, BB_POOL_TAG);
RtlZeroMemory(pMods, bytes);
status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes);
if (NT_SUCCESS(status))
{
PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules;
for (ULONG i = 0; i < pMods->NumberOfModules; i++)
{
// System routine is inside module
if (checkPtr >= pMod[i].ImageBase &&
checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase + pMod[i].ImageSize))
{
g_KernelBase = pMod[i].ImageBase;
g_KernelSize = pMod[i].ImageSize;
if (pSize)
* pSize = g_KernelSize;
DbgPrint("KernelBase found! Size: " + g_KernelSize);
break;
}
}
}
if (pMods)
ExFreePoolWithTag(pMods, BB_POOL_TAG);
return g_KernelBase;
}
How I use RtlImageNtHeader:
PULONG pSize = NULL;
PVOID base = GetKernelBase(pSize);
PIMAGE_NT_HEADERS64 pHdr = RtlImageNtHeader(base); // causing crash
Thanks in advance