I need to know the base addresses where nt and win32k are loaded. I can find out this information by booting the system with kernel debugging enabled, start a kernel debug session, and run the command lm to get a list of the loaded modules.
What I want to do is programmatically determine where these two modules are loaded without booting into debug mode and using the kernel debugger. I need the base addresses for resolving syscalls in an Event Tracing for Windows log file.
The system I am working on is running Windows Server 2008 R2.
The list of loaded kernel modules and base addresses (including
ntoskrnl) is stored in the list pointed byPsLoadedModuleListsymbol. Or useZwQuerySystemInformation(SystemModuleInformation)instead.For detailed information see http://alter.org.ua/docs/nt_kernel/procaddr/