My question is:
when win32k.sys boots into session space, does it get the same base address in every session?
More details:
I am writing a device driver in kernel mode for Windows (32 bit). It loads as a standard WDM driver into the system space. (global memory in kernel mode) at boot time.
However, in some situations, I need to access the functions exported by win32k.sys. To be precise, I am writing some kind of driver that sometimes has to pretend to be a display driver.
I cannot statically import these functions (which means to import them through an executable import table). This is because win32k.sys loads at a later stage when creating sessions. In addition, it is loaded into the session space .
However, I found a workaround. During session creation, I import the necessary functions dynamically. I use ZwQuerySystemInformationc SystemModuleInformationto find the base address of win32k.sys in the current session . Then, using this base address, I analyze it to find the win32k.sys export directory and get the necessary function pointers.
Currently, for each session, I keep a separate array of imported functions. However, almost all functions are always the same in all sessions. Means - win32k.sys is mapped to the same address that belongs to the session space in each session.
Therefore, my question is, is there a guarantee that win32k.sys will map to the same address in all sessions?
Besides preserving some memory, this will make my work easier. Currently, to call such a function, I need a context specific to the session where the function pointers are stored.