exported symbols.

NTDEV
1

Hi everyone!

Newbie need a help so if you could possibly help I would be very grateful.

Recently I was trying to import W32pServiceTable into my driver, as I disassembled wink32.sys i saw that W32pServiceTable is public and exported(win7 x64). So I did something like that:
__declspec(dllimport) PDWORD W32pServiceTable;
but while linking i got error: unresolved symbol.

2

xxxxx@gmail.com wrote:

Newbie need a help so if you could possibly help I would be very grateful.

Recently I was trying to import W32pServiceTable into my driver, as I disassembled wink32.sys i saw that W32pServiceTable is public and exported(win7 x64). So I did something like that:
__declspec(dllimport) PDWORD W32pServiceTable;
but while linking i got error: unresolved symbol.

What on earth do you think you are going to do with that information?
Win32k.sys is only usable from GDI drivers. It will not allow itself to
be linked to other drivers.

The answer to your immediate question is that you still need an import
library that tells the system which DLL contains W32pServiceTable, so
that it can make the link at run time. That would be win32k.lib. But
if you are a newbie, then you should probably put the knives down before
you get cut.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3

I just want to use WinApi in Kernel, know that’s stupid, but I am curious. That’s all, no hooking, no killing. Thanks for your response.

4

You want to use win32 APIs in the kernel?

d

dent from a phpne with no keynoard

-----Original Message-----
From: xxxxx@gmail.com
Sent: October 14, 2010 2:30 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] exported symbols.

I just want to use WinApi in Kernel, know that’s stupid, but I am curious. That’s all, no hooking, no killing. Thanks for your response.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

5

You can’t use the Win32 API in the kernel directly, but you may queue an APC to execute user-mode code in any process (e.g. explorer.exe) from your driver. You just need to map the code you want to execute into the target process and queue an user-mode APC on an alertable thread in that process or set an thread alertable by yourself (this can be done through the EHTREAD structure).

ac1d

Am 14.10.2010 um 16:30 schrieb Doron Holan:

You want to use win32 APIs in the kernel?

d

dent from a phpne with no keynoard

-----Original Message-----
From: xxxxx@gmail.com
> Sent: October 14, 2010 2:30 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] exported symbols.
>
>
> I just want to use WinApi in Kernel, know that’s stupid, but I am curious. That’s all, no hooking, no killing. Thanks for your response.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

6

Why would someone do this hack, versus using a service to handle things
with an inverted call. Sorry but opening up a security hole like you
suggest is just a bad idea.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Yannick” wrote in message
news:xxxxx@ntdev:

> You can’t use the Win32 API in the kernel directly, but you may queue an APC to execute user-mode code in any process (e.g. explorer.exe) from your driver. You just need to map the code you want to execute into the target process and queue an user-mode APC on an alertable thread in that process or set an thread alertable by yourself (this can be done through the EHTREAD structure).
>
> ac1d
>
> Am 14.10.2010 um 16:30 schrieb Doron Holan:
>
> > You want to use win32 APIs in the kernel?
> >
> > d
> >
> > dent from a phpne with no keynoard
> >
> > -----Original Message-----
> > From: xxxxx@gmail.com
> > Sent: October 14, 2010 2:30 AM
> > To: Windows System Software Devs Interest List
> > Subject: RE:[ntdev] exported symbols.
> >
> >
> > I just want to use WinApi in Kernel, know that’s stupid, but I am curious. That’s all, no hooking, no killing. Thanks for your response.
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

7

xxxxx@gmail.com wrote:

I just want to use WinApi in Kernel, know that’s stupid, but I am curious. That’s all, no hooking, no killing. Thanks for your response.

Nope. The Win32 API is strictly a user-mode concept. What do you need
to do? Some of the things the API can do simply don’t make sense in
kernel. Some things are available in other ways.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

8

So then, a try to link wink32.lib into my driver which is not GDI is
completely sensless as it won’t export its symbols into my code.
Is that reasoning right? If it’s true, I wonder how’s this made. Why am I
doing this? As I thought it would be a great opportunity to learn what’s
under the hood. I have no bad intentions, only bad english. Thanks for Your
replies and suggestions, really appreciare.

9

>execute into the target process and queue an user-mode APC on an alertable thread

Or even better is to use inverted calls. The stable and documented solution.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

10

>So then, a try to link wink32.lib into my driver which is not GDI is completely sensless

Yes.

Windows is just plain not designed for such things.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

11

Just because it is exported does not mean that you can simply import it. To
import it, you have to have a .lib file created by the exporting module that
defines the symbol as an exported symbol. Lacking the .lib file to create
the import record in the executable, you will get the unresolved symbol
error, because, indeed, the symbol is unresolved.
joe

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, October 13, 2010 6:54 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] exported symbols.

Hi everyone!

Newbie need a help so if you could possibly help I would be very grateful.

Recently I was trying to import W32pServiceTable into my driver, as I
disassembled wink32.sys i saw that W32pServiceTable is public and
exported(win7 x64). So I did something like that:
__declspec(dllimport) PDWORD W32pServiceTable;
but while linking i got error: unresolved symbol.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

12

Just to be clear, win32k.lib does exist, but you still don’t want to do this
for reasons that were stated earlier.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Joseph M. Newcomer
Sent: Thursday, October 14, 2010 11:05 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] exported symbols.

Just because it is exported does not mean that you can simply import it. To
import it, you have to have a .lib file created by the exporting module that
defines the symbol as an exported symbol. Lacking the .lib file to create
the import record in the executable, you will get the unresolved symbol
error, because, indeed, the symbol is unresolved.
joe

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, October 13, 2010 6:54 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] exported symbols.

Hi everyone!

Newbie need a help so if you could possibly help I would be very grateful.

Recently I was trying to import W32pServiceTable into my driver, as I
disassembled wink32.sys i saw that W32pServiceTable is public and
exported(win7 x64). So I did something like that:
__declspec(dllimport) PDWORD W32pServiceTable; but while linking i got
error: unresolved symbol.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

13

£adanowski Micha³ wrote:

So then, a try to link wink32.lib into my driver which is not GDI is
completely sensless as it won’t export its symbols into my code.
Is that reasoning right? If it’s true, I wonder how’s this made. Why
am I doing this? As I thought it would be a great opportunity to learn
what’s under the hood. I have no bad intentions, only bad english.

Under the hood of what? I clearly understand the desire to poke around,
but I’d like to get a feeling for what you’re trying to learn. All of
the functions in win32k.sys are designed to provide services for display
drivers and printer drivers. Win32k.sys loads those drivers, and then
those drivers call back into win32k.sys to handle the difficult functions.

You can certainly set up a kernel debugger and set some breakpoints, if
you want to watch how your display driver uses win32k.sys.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

14

Ok. Clearly, I ask about something I shouldn’t. My intention wasn’t to poke,
to hook or to kill.
Sorry for the problem, and really appreciate Your responses.

15

£adanowski Micha³ wrote:

Ok. Clearly, I ask about something I shouldn’t. My intention wasn’t to
poke, to hook or to kill.
Sorry for the problem, and really appreciate Your responses.

It’s not a “problem”, and you shouldn’t just give up. You clearly had
some goal in mind when you came across that name. That particular path
is not going to lead to happiness, but if you can tell us what you were
hoping to learn, we can point you in the right direction.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

16

I am beginning with WDM, I thought that after reading books it’s good to
make a project…
As You said before a desire “to poke everywhere”, so I decided to make a
system monitor,
It was easy to gain functionality using Documented stuff. But then I wanted
to get titles from windows
which are in foreground. This lead me to NtUserGetForeground. After after…
I thought why not to use win32k.sys.
Ok, I know there are better ways, methods used by hooks which are not
directly combined with win32k.lib, other solutions like
You suggested(say legal). But after that, I was only curious if it is
possible to import symbols from win32k when I am not developing GDI driver.
To sum up, I know it’s senseless, because getting window’s title in Kernel
is hmm… stupid. However a curiosity about combining wink32.sys with non
GDI driver stays. That was my intention. I really don’t want to waste Your
time so I will find a solution by myself. Your suggestions where helpfull,
and lead me to that point so thanks again. And sorry for my english:)

17

>To sum up, I know it’s senseless, because getting window’s title in Kernel is hmm… stupid. However a

curiosity about combining wink32.sys with non GDI driver stays.

Note that win32k runs in session space, and non-GDI drivers - in global machine space.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

18

But I can make GDI driver and WDM driver, and communicate.

19

To access session space, an ordinary driver would have to attach to a
Win32 process (e.g., an instance of CSRSS, the user-mode portion of the
Win32 subsystem).
I don’t know whether the improved session isolation in Vista and above
might impose further complexities, though.

On Sat, 16 Oct 2010 11:09:10 +0300, Maxim S. Shatskih
wrote:
>> To sum up, I know it’s senseless, because getting window’s title in
>> Kernel is hmm… stupid. However a
>> curiosity about combining wink32.sys with non GDI driver stays.
>
> Note that win32k runs in session space, and non-GDI drivers - in global
> machine space.

20

Then make a user process and a WDM driver.

Simpler.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Ladanowski Michal” wrote in message news:xxxxx@ntdev…
But I can make GDI driver and WDM driver, and communicate.