NTOSKRNL Walker Lib by Juan Sacco support@exploitpack.com https://exploitpack.com

NTKernelWalkerLib is a self contained library for resolving kernel offsets. It uses dbghelp to fetch RVAs of exported symbols from ntoskrnl.exe and uses and image mapper that can scan executable sections to find ROP gadgets such as “pop rcx ; ret” or “jmp rax”.

Examples of usage obtaining Token offset from the EPROCESS structure:

#include "NtoskrnlStructs.hpp"
int main() {
    ntstructs::NtoskrnlStructWalker w;
    if (!w.Initialize()) return 1; // loads C:\Windows\System32\ntoskrnl.exe + symbols
    auto tok = w.GetField("_EPROCESS", "Token");
    if (tok) std::printf("EPROCESS.Token offset = 0x%lx\n", tok->offset);
}

Listing all members of a struct:

auto members = w.GetStructMembers("_TOKEN");
for (auto& m : members.value_or(std::vector<ntstructs::StructMember>{})) {
    std::printf("%s @ 0x%lx (%s)%s\n",
                m.name.c_str(), m.offset, m.typeName.c_str(),
                m.isBitField ? " [bitfield]" : "");
}

Finding a field without knowing the parent struct:

auto any = w.FindFieldAcrossStructs("GrantedAccess");
if (any) std::printf("Found %s.%s at 0x%lx\n",
                     any->typeName.c_str(), any->name.c_str(), any->offset);

Symbol path control: pass explicit paths if offline or using a private server:

w.Initialize(L"C:\\Windows\\System32\\ntoskrnl.exe",
             L"srv*C:\\symcache*https://msdl.microsoft.com/download/symbols");

There is also a standalone version of this library here: https://github.com/jsacco/ntoskrnlwalker