The driver code with ZwQuerySystemInformation , ZwQueryInformationProcess and PsGetProcessImageFileName doesnot just compile.Compiler syas these as undeclared variables.These are not declared in any header file.How to get these work?Any extra options I have to add during “build”.
You have to define the function prototypes yourself, like any other C
program. Be aware that the documentation for at least
ZwQuerySystemInformation that you find on the web (or Nebbetts book) is
mostly wrong for current OS’es. For some well documented cases you are
fine, for the rest you are in unmapped territory.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@hotmail.com” wrote
in message news:xxxxx@ntdev:
> The driver code with ZwQuerySystemInformation , ZwQueryInformationProcess and PsGetProcessImageFileName doesnot just compile.Compiler syas these as undeclared variables.These are not declared in any header file.How to get these work?Any extra options I have to add during “build”.
Any idea about how to get well documented prototypes?
Thanks
After the usual nags for using undocumented stuff, especially in kernel…
Prototypes of NtQuerySystemInformation and NtQueryInformationProcess are in winternl.h (in the current Platform SDK; RFTMSDN for their description). Replace Nt to Zw.
PsGetProcessImageFileName did not work for me, so better avoid using it.
Good luck,
–pa
The function prototypes for these that you find on the net are correct,
it is the usage of the parameters particularly the information classes
and the subsequent structures for the info, that can be wildly wrong.
You are going to have to take all of that from the sources you can find
and then test like crazy.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@hotmail.com” wrote
in message news:xxxxx@ntdev:
> Any idea about how to get well documented prototypes?
> Thanks
I tried inserting the function prototypes into header files and then including them it worked for PsGetProcessImageFileName but I am unable to get ZwQueryInformationProcess work even after including its prototype and declaring _RTL_USER_PROCESS_PARAMETERS and _PEB but while compiling it is saying PEB undeclared and syntax error near PPS_POST_PROCESS_INIT_ROUTINE which I am unable to declare as I am not able to find any documentation regarding " PPS_POST_PROCESS_INIT_ROUTINE".If anybody knows then please help me.
I don’t think winternal.h can be included in a kernel mode wdm driver.
> it is saying PEB undeclared
http://msdn.microsoft.com/en-us/library/aa813706(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa813741(v=VS.85).aspx
I am not able to find any documentation regarding PPS_POST_PROCESS_INIT_ROUTINE
See the 1st link. It is a function pointer, just define it as PVOID
(you are not going to use it otherwise)
– pa
When I use the method descired by you to get the ful path name of the current driver I get NULL.
Here is the code
handle=ZwCurrentProcess();
status=ZwQueryInformationProcess(handle,ProcessBasicInformation,&ProcessBasicInfo,sizeof(ProcessBasicInfo),&returnLength);
KdPrint((“return length %d”,returnLength));
if(status==STATUS_SUCCESS)
{
KdPrint((“Driver: %ld” ,ProcessBasicInfo.UniqueProcessId));
if((pPEB = ( PEB *)ProcessBasicInfo.PebBaseAddress)!=NULL)
KdPrint((“Driver: %ws”,pPEB->ProcessParameters->ImagePathName.Buffer));
}
else KdPrint((“Driver:query information process failed”));
return length is printed 24 but not the Imagepathname
same happens for ProcessImageFileName with return length 8 but name is not printed
> KdPrint(("Driver:
%ws",pPEB->ProcessParameters->ImagePathName.Buffer));
There are another two small gotchas:
-
UNICODE_STRINGs are often not 0-terminated.
Use %wZ format to print UNICODE_STRING. -
If exception occurs inside KdPrint (DbgPrint), it just stops printing past the exception,
and gives no error indication.
– pa
If what Pavel said doesn’t do the trick, I would try dumping some of the
information around ImagePathName to see if all looks well or at least
reasonable.
In particular:
pPEB->ProcessParameters->ImagePathName.Length
If you get something reasonable for that, you could try:
KdPrint(“%.*S\n”, pPEB->ProcessParameters->ImagePathName.Length,
pPEB->ProcessParameters->ImagePathName.Buffer);
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Friday, November 26, 2010 9:31 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Calling undocumented function from kernel driver
When I use the method descired by you to get the ful path name of the
current driver I get NULL.
Here is the code
handle=ZwCurrentProcess();
status=ZwQueryInformationProcess(handle,ProcessBasicInformation,&ProcessBasi
cInfo,sizeof(ProcessBasicInfo),&returnLength);
KdPrint((“return length %d”,returnLength));
if(status==STATUS_SUCCESS)
{
KdPrint((“Driver: %ld” ,ProcessBasicInfo.UniqueProcessId));
if((pPEB = ( PEB *)ProcessBasicInfo.PebBaseAddress)!=NULL)
KdPrint((“Driver:
%ws”,pPEB->ProcessParameters->ImagePathName.Buffer));
}
else KdPrint((“Driver:query information process failed”));
return length is printed 24 but not the Imagepathname
same happens for ProcessImageFileName with return length 8 but name is not
printed
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer