Can I call a function in NTDLL.dll from a kernel-mode driver?
Let’s say that I need a function, that is not publicly exported by ntoskrnl.exe, but only by ntdll.dll, where it just makes a propper “int 0x2E”, which is also used for some functions within ntoskrnl.exe …
This DLL is mapped in the ‘System’ process also…
Then a related question:
Can I dynamically find a function in kernel-mode driver.sys (something like GetProcAddress)?
MmGetSystemRoutineAddress does not have a module parameter.
I just liked to call a function from one driver to another, with a temporary solution of giving that function pointer into a DeviceExtension.
For that NtDll above the case would be easy to find PE header with a help of MmIsAddressValid and traverse Exports section, but finding a kernel-mode driver DLL is not that easy…
wrote in message news:xxxxx@ntdev… > Can I call a function in NTDLL.dll from a kernel-mode driver? > Let’s say that I need a function, that is not publicly exported by > ntoskrnl.exe, but only by ntdll.dll, where it just makes a propper “int > 0x2E”, which is also used for some functions within ntoskrnl.exe … > This DLL is mapped in the ‘System’ process also…
Some people have done this but it is pretty stupid. Tell us the ntdll.dll function you think you need there is likely a better way.
> > Then a related question: > > Can I dynamically find a function in kernel-mode driver.sys (something > like GetProcAddress)? > MmGetSystemRoutineAddress does not have a module parameter. > I just liked to call a function from one driver to another, with a > temporary solution of giving that function pointer into a DeviceExtension.
Assuming these are PnP drivers, look at a device interface that way one driver can export some functions and the other asks for them with a GUID defining the interface. See IoRegisterDeviceInterface and IoRegisterPlugPlayNotification for the basics.
For question one - NtQueryInformationThread, NtOpenThread
Well I could find it in a PEThread, but hard-wiring offsets for various system versions seems not much portable…
Anyway I could come on another such function later…
For question two - it is not a PnP driver, this seems too complicated. One driver is a logging center (logs messages to files, and possibly via user-mode service to another host or console or what ever, depending on configuration), and another driver is a sample logging client, both software-only, no PnP involved.
The method I use now is IoGetDeviceObjectPointer…
In the IoRegisterDeviceInterface topic, there is a “device interface class” link which leads nowhere. How can I use the registered interface?
Can I dynamically find a function in kernel-mode driver.sys (something like GetProcAddress)?
MmGetSystemRoutineAddress does not have a module parameter.
No, MGSRA only looks in ntoskrnl.exe and hal.dll.
I just liked to call a function from one driver to another, with a temporary solution of giving that function pointer into a DeviceExtension.
Some NtXxx routines exported by ntdll.dll, you could call them as ZwXxx.
Such as NtTerminateProcess, you could used as ZwTerminateProcess.
xxxxx@seznam.cz wrote:
Can I call a function in NTDLL.dll from a kernel-mode driver?
Let’s say that I need a function, that is not publicly exported by ntoskrnl.exe, but only by ntdll.dll, where it just makes a propper “int 0x2E”, which is also used for some functions within ntoskrnl.exe …
This DLL is mapped in the ‘System’ process also…
Then a related question:
Can I dynamically find a function in kernel-mode driver.sys (something like GetProcAddress)?
MmGetSystemRoutineAddress does not have a module parameter.
I just liked to call a function from one driver to another, with a temporary solution of giving that function pointer into a DeviceExtension.
For that NtDll above the case would be easy to find PE header with a help of MmIsAddressValid and traverse Exports section, but finding a kernel-mode driver DLL is not that easy…
NtOpenThread -
use PsLookupThreadByThreadId to get the thread object.
If you need a handle, call ObOpenObjectByPointer on that object and the system will get you one.
ZwQueryInformationThread is exported from ntoskrnl, so you can use it.