How to link with ntoskrnl.lib?

#30267 by grechkoed
Mon Apr 24, 2017 8:28 am

Hello!

I'm writing windows driver and want to use undocumented function from ntoskrnl.lib (PsSuspendProcess). (I know that it's not the best thing to do, but nevertheless I want to try)
So I declared it by myself:

Code: Select all

NTSTATUS
PsSuspendProcess(
	IN PEPROCESS Process
);

Found it in ntoskrnl.lib: dumpbin.exe /EXPORTS .\ntoskrnl.lib

Code: Select all

Dump of file .\ntoskrnl.lib

File Type: LIBRARY

     Exports
...
                  PsSuspendProcess
...

Also I added this file into Visual Studio project. Path to the library directory (C:\Program Files (x86)\Windows Kits\10\Lib\10.0.15063.0\km) was already in the project properites. But I got this error while compiling driver:

Code: Select all

unresolved external symbol "long __cdecl PsSuspendProcess(struct _KPROCESS *)"

So, what am I doing wrong?

Username

grechkoed

Posts

5

Joined

Mon Apr 24, 2017 8:18 am

Re: How to link with ntoskrnl.lib?

#30268 by raiden
Mon Apr 24, 2017 11:09 am

Add extern "C" __declspec(dllimport) and calling convention to your definition, something like this:

Code: Select all

extern "C"
NTSYSAPI
NTSTATUS
NTAPI
PsSuspendProcess (
  PEPROCESS Process
);

Username

raiden

Posts

8

Joined

Mon Apr 30, 2012 6:14 pm

Re: How to link with ntoskrnl.lib?

#30270 by Vrtule
Mon Apr 24, 2017 4:08 pm

Hello,

what about something like this?

Code: Select all

__declspec(dllimport) NTSTATUS
PsSuspendProcess(
   IN PEPROCESS Process
);

The project should automatically link against ntoskrnl.lib since you can hardly avoid using any of its routines.

I would recommend you, howerver, to find this symbol dynamically (MmGetSystemRoutineAddress) because you have no guarantee that it stays exported in the future (or is exported by all ntoskrnl.exe you wish to support). You are currently using ntoskrnl.lib for Windows 10.

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact

Re: How to link with ntoskrnl.lib?

#30274 by grechkoed
Tue Apr 25, 2017 9:37 am

Thanks guys!

The problem was that source file name was Source.cpp not Source.c, So as I think compiler tried to find mangled name. Probably your solutions will work too.

Username

grechkoed

Posts

5

Joined

Mon Apr 24, 2017 8:18 am

Re: How to link with ntoskrnl.lib?

#30276 by tangptr
Tue Apr 25, 2017 12:55 pm

If you are writing C code in *.cpp file, you may specify "/TC" parameter for cl to inform compiler to compile it into C code regardless of the file extension name. Likewise, you may specify "/TP" parameter for cl to inform compiler to compile it into C++ code regardless of the file extension name. In some cases, something like "extern C" could be unnecessary to use. This could be set via Visual Studio(Properties -> C/C++ -> Advanced -> Compile As,) but I, considering that I could specify definitions of macros and other advanced user-defined parameters for different source code files when compiling, prefer using Batch in spite of the complicated operation.

When declaring functions from other libraries, you should specify "__declspec(dllimport)"(__declspec, i.e, Declaration Specified). To make it looks more like designed for kernel-mode driver, you may specify "NTKERNELAPI" before "NTSTATUS".
FOR EXAMPLE:
NTKERNELAPI NTSTATUS PsSuspendProcess(IN PEPROCESS Process);

At long last, the jumping hands of time will be halted by a weakling cast in eternal solitude.

Username

tangptr

Posts

31

Joined

Mon Nov 14, 2016 11:14 am

Location

People Republic of China

Contact