I have extracted a dump file of system call addresses called in windows using ETW. I had some confusions about the addresses. I just use NtOpenFile for future examples.
1-
I dump the Kernel PDB file received from Microsoft symbol server (ntkrnlmp.pdb) using cvdump. it's entry for NtOpenfile is like this:
S_PUB32: [000D:000DF320], Flags: 00000002, NtOpenFile
Then I open ntoskrnl.exe using Dependency Walker (DP). I scroll down and see the entry for NtOpenFile:
Then I receive the Kernel Base address using this little piece of code:
hNtdll = GetModuleHandle("ntdll.dll");
NtQuerySystemInformation = (NtQuerySystemInformationFunc)GetProcAddress(hNtdll, "NtQuerySystemInformation");
NtQuerySystemInformation(SystemModuleInformation, &ModuleInfo, sizeof(ModuleInfo), NULL);
KernelBase = (ULONG64)ModuleInfo.Modules[0].ImageBase;
The kernel base address is: fffff802f7616000
The actual address for NtOpenFile extracted using windbg is fffff802f7b0e320 nt!NtOpenFile
Adding the kernel base with address extracted from the pdb file gives me the wrong address (adding with the address from DP results correct). Why?
2-
Why don't functions in win32k.sys like NtGdiFlush exist in the .sys file opened by DP? In Windows 10, there is another file named win32kfull.sys which contains those symbols but not in Windows 7.
3-
I cannot map functions like NtQueryVirtualMemory at all. it exists in the ntkrnlmp.pdb dump, but as I said in part 1, the address seems wrong! And also it exists in ntoskrnl.exe opened by DP as ZwQueryVirtualMemory. But it differs from NtQueryVirtualMemory address extracted by windbg.exe How do these map to each other? How can I extract this function's address using DP or PDB files?
4-
How can I find win32k.sys system call addresses (like NtGdiFlush's address) using windbg?
the command kd> x /D nt!Nt* does not give me these symbol addresses.
I am not clear what your use case is if it was just obtaining an address for an api from just a pdb file you could use the dbh.exe tool that comes with windbg package in batch mode
it loads the pdb at a default base (normally 0x10000000) and provides you the address of the api relative to that base
example
you can confirm also with sysinternals livekd.exe
as for as finding an api from all the loaded modules you can employ wildcards like *. etc
It doesn't appear to be that simple as adding the S_PUB32 Value spat out by cvdump for a symbol to the segment offset
it seems that the S_PUB32 value was written before optimization function chunking etc all happened
cvdump in its headers has two different header information
one appears to be the actual header that is embedded in the final executable one one appears to be the original header pre optimization ? or whatever would be done after writing this header
the S_PUB32 value is added to the original segment offset in this case
0x620c8 is added to 0x166000 the virtual address of
original header's section #8(this isn't reflected in dumpbin.exe /headers so dumpbin is kinda useless )now omapf for this seems to show the actual function offset in the final executable
the pattern appears to be consistent for a few functions i tried
checking some random api
if fpo data is available you can get the function size prolog no of params no of locals etc too
this exactly matches the windbg .fnent function output