MmGetSystemRoutineAddress : forwards on vista

Rating: 2 votes, 1.50 average.
Very frustrating when you figure that this export can't resolve forwarded APIs. Here is one example from Vista:

.edata:8002F485 ; Exported entry   1. ExAcquireFastMutex
.edata:8002F485                 public ExAcquireFastMutex
.edata:8002F485 ExAcquireFastMutex db 'ntoskrnl.ExiAcquireFastMutex',0
.edata:8002F4A2 aExreleasefastm db 'ExReleaseFastMutex',0
.edata:8002F4B5 ; Exported entry   2. ExReleaseFastMutex
.edata:8002F4B5                 public ExReleaseFastMutex
.edata:8002F4B5 ExReleaseFastMutex db 'ntoskrnl.ExiReleaseFastMutex',0
.edata:8002F4D2 aExtrytoacquire db 'ExTryToAcquireFastMutex',0
.edata:8002F4EA ; Exported entry   3. ExTryToAcquireFastMutex
.edata:8002F4EA                 public ExTryToAcquireFastMutex
.edata:8002F4EA ExTryToAcquireFastMutex db 'ntoskrnl.ExiTryToAcquireFastMutex',0
When you use MmGetSystemRoutineAddress it will return to you address of string. It won't resolve forwarded API properly.

The best way is to use own MmGetSystemRoutineAddress instead of the one provided by windows kernel...

Submit "MmGetSystemRoutineAddress : forwards on vista" to Digg Submit "MmGetSystemRoutineAddress : forwards on vista" to Submit "MmGetSystemRoutineAddress : forwards on vista" to StumbleUpon Submit "MmGetSystemRoutineAddress : forwards on vista" to Google