Error in building driver fro windows 7 x64

NTDEV
1

i try to build a driver in windows 7 x64 by using the source code from professional rootkits chapter 3.I got 2 errors

1.c:\chapter03ghost\src\hookmanager.obj : error LNK2001: unresolved external symbol __imp_KeServiceDescriptorTable

2.c:\chapter03ghost\src\objchk_win7_amd64\amd64\comint32.sys : error LNK1120: 1 unresolved externals

i already go through this link"http://www.osronline.com/showthread.cfm?link=121098" but i am unable to find the solution…

this is my source file content:

TARGETNAME=comint32
TARGETPATH=OBJ
TARGETTYPE=DRIVER
SOURCES=Ghost.c\
fileManager.c\
hookManager.c\
configManager.c

this is the log error:

BUILD: Examining c:\chapter03ghost\src directory for files to compile.
oacr invalidate root:amd64chk /autocleanqueue
1>Compiling and Linking c:\chapter03ghost\src *************
1>‘nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS2 LINKONLY=1 NOPASS0=1 MAKEDIR_RELATIVE_TO_BASEDIR=’
1>c:\chapter03ghost\src: TARGETPATH is OBJ
1> C:\WinDDK\7600.16385.1\Bin\amd64\oacr\oacrcl @c:\chapter03ghost\src\objchk_win7_amd64\amd64\cl.rsp
1>Microsoft (R) C/C++ Optimizing Compiler Version 15.00.30729.207 for x64
1>Copyright (C) Microsoft Corporation. All rights reserved.
1>cl /Fo"c:\chapter03ghost\src\objchk_win7_amd64\amd64/"
1> /FC
1> /Iamd64\
1> /I.
1> /IC:\WinDDK\7600.16385.1\lib\win7\amd64\inc\ddk\wdmC:\WinDDK\7600.16385.1\lib\win7\amd64\inc\ddk\wdm\wxpC:\WinDDK\7600.16385.1\lib\win7\amd64\inc\ddk\wxpC:\WinDDK\7600.16385.1\lib\win7\amd64\inc\wxpC:\WinDDK\7600.16385.1\lib\win7\amd64\inc\crt
1> /Ic:\chapter03ghost\src\objchk_win7_amd64\amd64
1> /IC:\WinDDK\7600.16385.1\inc\api
1> /IC:\WinDDK\7600.16385.1\inc\api
1> /IC:\WinDDK\7600.16385.1\inc\ddk
1> /IC:\WinDDK\7600.16385.1\inc\ddk
1> /IC:\WinDDK\7600.16385.1\inc\crt
1> /D_WIN64
1> /D_AMD64_
1> /DAMD64
1> /DCONDITION_HANDLING=1
1> /DNT_UP=1
1> /DNT_INST=0
1> /DWIN32=100
1> /D_NT1X_=100
1> /DWINNT=1
1> /D_WIN32_WINNT=0x0601
1> /DWINVER=0x0601
1> /D_WIN32_IE=0x0800
1> /DWIN32_LEAN_AND_MEAN=1
1> /DDEVL=1
1> /DDBG=1
1> /D__BUILDMACHINE__=WinDDK
1> /D_DLL=1
1> /DNDEBUG
1> /DDEPRECATE_DDK_FUNCTIONS=1
1> /DMSC_NOOPT
1> /DNTDDI_VERSION=0x06010000
1> /c
1> /Zc:wchar_t-
1> /Zl
1> /Zp8
1> /Gy
1> -cbstring
1> /W3
1> /EHs-c-
1> /GR-
1> /GF
1> /GS
1> /Zi
1> /Od
1> /Oi
1> /GL
1> /Zi
1> /Fdc:\chapter03ghost\src\objchk_win7_amd64\amd64\
1> /DKMDF_MAJOR_VERSION_STRING=01
1> /DKMDF_MINOR_VERSION_STRING=009
1> /typedil-
1> /wd4603
1> /wd4627
1> /homeparams
1> /FIC:\WinDDK\7600.16385.1\inc\api\warning.h
1> .\ghost.c .\filemanager.c .\hookmanager.c .\configmanager.c
1>ghost.c
1>filemanager.c
1>c:\chapter03ghost\src\filemanager.c(77) : warning C4242: ‘=’ : conversion from ‘ULONG_PTR’ to ‘ULONG’, possible loss of data
1>warnings in directory c:\chapter03ghost\src
1>c:\chapter03ghost\src\filemanager.c(77) : warning C4242: ‘=’ : conversion from ‘ULONG_PTR’ to ‘ULONG’, possible loss of data
1>hookmanager.c
1>c:\chapter03ghost\src\hookmanager.c(48) : warning C4996: ‘MmCreateMdl’: was declared deprecated
1>c:\chapter03ghost\src\hookmanager.c(48) : warning C4996: ‘MmCreateMdl’: was declared deprecated
1> c:\winddk\7600.16385.1\inc\ddk\wdm.h(19491) : see declaration of ‘MmCreateMdl’
1>c:\chapter03ghost\src\hookmanager.c(55) : warning C4996: ‘MmMapLockedPages’: was declared deprecated
1>c:\chapter03ghost\src\hookmanager.c(55) : warning C4996: ‘MmMapLockedPages’: was declared deprecated
1> c:\winddk\7600.16385.1\inc\ddk\wdm.h(19188) : see declaration of ‘MmMapLockedPages’
1>configmanager.c
1> C:\WinDDK\7600.16385.1\Bin\amd64\oacr\oacrlink /out:c:\chapter03ghost\src\objchk_win7_amd64\amd64\comint32.sys /machine:amd64 @c:\chapter03ghost\src\objchk_win7_amd64\amd64\lnk.rsp
1>Microsoft (R) Incremental Linker Version 9.00.30729.207
1>Copyright (C) Microsoft Corporation. All rights reserved.
1>/MERGE:_PAGE=PAGE
1>/MERGE:_TEXT=.text
1>/SECTION:INIT,d
1>/OPT:REF
1>/OPT:ICF
1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235
1>/INCREMENTAL:NO
1>/release
1>/NODEFAULTLIB
1>/WX
1>/debug
1>/debugtype:cv,fixup,pdata
1>/version:6.1
1>/osversion:6.1
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hotpatch.obj
1>/functionpadmin:6
1>/pdbcompress
1>/STACK:0x40000,0x1000
1>/driver
1>/base:0x10000
1>/subsystem:native,6.01
1>/entry:GsDriverEntry
1>/out:c:\chapter03ghost\src\objchk_win7_amd64\amd64\comint32.sys
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\ghost.obj
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\filemanager.obj
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\hookmanager.obj
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\configmanager.obj
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\BufferOverflowK.lib
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\ntoskrnl.lib
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hal.lib
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\wmilib.lib
1>ghost.obj : MSIL .netmodule or module compiled with /GL found; restarting link with /LTCG; add /LTCG to the link command line to improve linker performance
1>Microsoft (R) Incremental Linker Version 9.00.30729.207
1>Copyright (C) Microsoft Corporation. All rights reserved.
1>/MERGE:_PAGE=PAGE
1>/MERGE:_TEXT=.text
1>/SECTION:INIT,d
1>/OPT:REF
1>/OPT:ICF
1>/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221,4108,4088,4218,4218,4235
1>/INCREMENTAL:NO
1>/release
1>/NODEFAULTLIB
1>/WX
1>/debug
1>/debugtype:cv,fixup,pdata
1>/version:6.1
1>/osversion:6.1
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hotpatch.obj
1>/functionpadmin:6
1>/pdbcompress
1>/STACK:0x40000,0x1000
1>/driver
1>/base:0x10000
1>/subsystem:native,6.01
1>/entry:GsDriverEntry
1>/out:c:\chapter03ghost\src\objchk_win7_amd64\amd64\comint32.sys
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\ghost.obj
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\filemanager.obj
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\hookmanager.obj
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\configmanager.obj
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\BufferOverflowK.lib
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\ntoskrnl.lib
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\hal.lib
1>C:\WinDDK\7600.16385.1\lib\win7\amd64\wmilib.lib
1>hookmanager.obj : error LNK2001: unresolved external symbol __imp_KeServiceDescriptorTable
1>errors in directory c:\chapter03ghost\src
1>c:\chapter03ghost\src\hookmanager.obj : error LNK2001: unresolved external symbol __imp_KeServiceDescriptorTable
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\comint32.sys : fatal error LNK1120: 1 unresolved externals
1>c:\chapter03ghost\src\objchk_win7_amd64\amd64\comint32.sys : error LNK1120: 1 unresolved externals

Help me please…

2

You should not be doing rootkits. The KeServiceDescriptorTable is not an export on x64. The contents are encrypted and modifying it wil get PatchGuard in your way.

//Daniel

3

i already disable the patch guard using FYYRE code…i want to hook the ssdt .Is there other way to hook the SSDT

4

Since your product is already MALWARE why do you think we will help you?
If you are professional tell us your company and product so we can
ensure no one we know goes near it.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:

> i already disable the patch guard using FYYRE code…i want to hook the ssdt .Is there other way to hook the SSDT

5

I am a final year student from india.I am doing a project “Anti virus software shield for Anti virus terminators”.I am doing this project in windows 7 x64.I want to hook the SSDT.while i googled it i found to disable the patch guard i need to use the code of FYYRE.so only i used that code.Now only i know that is malware.please help me to do my project how can i hook then SSDT in windows 7 x64

6

You can’t do it safely. By definition your shield strips significant
protections from Windows, by trying to SSDT hooking especially with
FYYRE, So by your design choices you are not protecting a system you
are a virus in the system. Personally, having taught classes in college
years ago, if I got this I would fail you.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:

> I am a final year student from india.I am doing a project “Anti virus software shield for Anti virus terminators”.I am doing this project in windows 7 x64.I want to hook the SSDT.while i googled it i found to disable the patch guard i need to use the code of FYYRE.so only i used that code.Now only i know that is malware.please help me to do my project how can i hook then SSDT in windows 7 x64

7

sorry I donot know that code is malware after u said about that only i know about that.I remove that code from mysystem.I want to hook the SSDT in windws 7 x64,please help me for that .I am not getting any reply from other websites i hope from this site i can get solution to my problem .please forgive my error i am new to kernel programming how can i hook the SSDT ???

8

Look in the archives for SSDT hooking, this will explain the approved
methods for many common protection items, such as processes, threads,
registry and file systems, If you have some unique need then come back
and explain why you need to so something, we may be able to give a
solution. But starting on the assumption that you need to hook any
modern system, is basically creating a huge design mistake then building
on it.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:

> sorry I donot know that code is malware after u said about that only i know about that.I remove that code from mysystem.I want to hook the SSDT in windws 7 x64,please help me for that .I am not getting any reply from other websites i hope from this site i can get solution to my problem .please forgive my error i am new to kernel programming how can i hook the SSDT ???

9

Not if I can help it you won’t.

We don’t support malware development, student projects, or any "Dark Demon"s on this site.

Recognizing that it is sometimes necessary to hook the SSDT in downlevel operating systems, SSDT hooking is also something with which we do not assist.

If this is a student project, and you’re a student, I suggest you not seek to cheat by asking help from industry professionals. I did my own homework in University. I recommend you do yours as well.

This thread is locked. DO NOT repost.

Have a nice day,

Peter
OSR