понедельник, 21 января 2019 г.

simple way to find PsKernelRangeList

It seems that since est. build 15025 to PsKernelRangeList was added absolute addresses of KUSER_SHARED_DATA.SystemCall and KUSER_SHARED_DATA.ProcessorFeatures
So now it can be trivially found with signature 0xFFFFF78000000308 (0xFFDF0308 for 32bit) in .data section
Lets see what is interesting in this list
Items in PsKernelRangeList can be described something like

struct protected_area
{
 PBYTE addr;
 PBYTE len;
};
Also it seems that new entries always adding in end of this list. On build 18312 this list contains
  1. PspPicoProviderRoutines
  2. 3 zero entry
  3. MmUserProbeAddress (exported)
  4. MmSystemRangeStart (exported)
  5. MmHighestUserAddress (exported)
  6. MmBadPointer (exported)
  7. HvcallCodeVa
  8. PsWin32NullCallBack
  9. PspSystemMitigationOptions (size 0x10)
  10. KdpBootedNodebug
  11. KUSER_SHARED_DATA.SystemCall
  12.  KUSER_SHARED_DATA.ProcessorFeatures
  13. KiDynamicTraceEnabled
  14. KiDynamicTraceCallouts (size 0x28 on 32bit, 0x50 on 64bit)