IoCreateDeviceSecure compiled ok but fail to load driver

Hi,

Im writting a kernel mode driver and i use IoCreateDeviceSecure to set access list control to the Device Object. I linked the driver with wdmsec.lib, bufferoverflow.lib, ntdll.lib and the driver is compiled successfully. Weird thing is, everytime I try to StartServiceA, GetLastError returns ERROR_PROC_NOT_FOUND (0000007F) and if i use IoCreateDevice, everything goes smoothly.

The compiled IoCreateDeviceSecure looks like this in assembly:

PAGE:0001205A ; NTSTATUS __stdcall WdmlibIoCreateDeviceSecure(PDRIVER_OBJECT DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PCUNICODE_STRING DefaultSDDLString, LPCGUID DeviceClassGuid, PDEVICE_OBJECT *DeviceObject)
PAGE:0001205A WdmlibIoCreateDeviceSecure proc near ; CODE XREF: DriverInitialize+56p
PAGE:0001205A
PAGE:0001205A DriverObject = dword ptr 8
PAGE:0001205A DeviceExtensionSize= dword ptr 0Ch
PAGE:0001205A DeviceName = dword ptr 10h
PAGE:0001205A DeviceType = dword ptr 14h
PAGE:0001205A DeviceCharacteristics= dword ptr 18h
PAGE:0001205A Exclusive = byte ptr 1Ch
PAGE:0001205A DefaultSDDLString= dword ptr 20h
PAGE:0001205A DeviceClassGuid = dword ptr 24h
PAGE:0001205A DeviceObject = dword ptr 28h
PAGE:0001205A
PAGE:0001205A mov edi, edi
PAGE:0001205C push ebp
PAGE:0001205D mov ebp, esp
PAGE:0001205F cmp WdmlibInitialized, 0
PAGE:00012066 jnz short loc_1206D
PAGE:00012068 call WdmlibInit
PAGE:0001206D
PAGE:0001206D loc_1206D: ; CODE XREF: WdmlibIoCreateDeviceSecure+Cj
PAGE:0001206D pop ebp
PAGE:0001206E jmp PfnIoCreateDeviceSecure
PAGE:0001206E WdmlibIoCreateDeviceSecure endp

.data:000151A4 PfnIoCreateDeviceSecure dd 0

Im looking for an answer and hope to hear reply from ppl soon,

Thanks,

ntdll.lib must not be linked to a kernel mode binary.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
Hi,

Im writting a kernel mode driver and i use IoCreateDeviceSecure to set access
list control to the Device Object. I linked the driver with wdmsec.lib,
bufferoverflow.lib, ntdll.lib and the driver is compiled successfully. Weird
thing is, everytime I try to StartServiceA, GetLastError returns
ERROR_PROC_NOT_FOUND (0000007F) and if i use IoCreateDevice, everything goes
smoothly.

The compiled IoCreateDeviceSecure looks like this in assembly:

PAGE:0001205A ; NTSTATUS __stdcall WdmlibIoCreateDeviceSecure(PDRIVER_OBJECT
DriverObject, ULONG DeviceExtensionSize, PUNICODE_STRING DeviceName, ULONG
DeviceType, ULONG DeviceCharacteristics, BOOLEAN Exclusive, PCUNICODE_STRING
DefaultSDDLString, LPCGUID DeviceClassGuid, PDEVICE_OBJECT *DeviceObject)
PAGE:0001205A WdmlibIoCreateDeviceSecure proc near ; CODE XREF:
DriverInitialize+56p
PAGE:0001205A
PAGE:0001205A DriverObject = dword ptr 8
PAGE:0001205A DeviceExtensionSize= dword ptr 0Ch
PAGE:0001205A DeviceName = dword ptr 10h
PAGE:0001205A DeviceType = dword ptr 14h
PAGE:0001205A DeviceCharacteristics= dword ptr 18h
PAGE:0001205A Exclusive = byte ptr 1Ch
PAGE:0001205A DefaultSDDLString= dword ptr 20h
PAGE:0001205A DeviceClassGuid = dword ptr 24h
PAGE:0001205A DeviceObject = dword ptr 28h
PAGE:0001205A
PAGE:0001205A mov edi, edi
PAGE:0001205C push ebp
PAGE:0001205D mov ebp, esp
PAGE:0001205F cmp WdmlibInitialized, 0
PAGE:00012066 jnz short loc_1206D
PAGE:00012068 call WdmlibInit
PAGE:0001206D
PAGE:0001206D loc_1206D: ; CODE XREF:
WdmlibIoCreateDeviceSecure+Cj
PAGE:0001206D pop ebp
PAGE:0001206E jmp PfnIoCreateDeviceSecure
PAGE:0001206E WdmlibIoCreateDeviceSecure endp

.data:000151A4 PfnIoCreateDeviceSecure dd 0

Im looking for an answer and hope to hear reply from ppl soon,

Thanks,

Thanks for your reply, Maxim S. Shatskih. I solved the problem. Replace the bufferoverflow.lib by bufferoverflowk.lib and remove ntdll.lib and the compiler works fine.

The reason I linked the kmode driver with ntdll.lib is when i linked with only wdmsec.lib, the linker display error of unresolved symbol xxxxx@4 in ppregstate.obj and cmregutil.obj. So I added bufferoverflow.lib to linker options. The compiler complains about _NtTerminateProcess symbols, so I added ntdll.lib. I suspected about this lib (ntdll in kmode ??) but why on earth does the linker accept the lib ?

Because the linker doesn’t generally make assumptions about your
intentions, which is a good thing, as assumptions about how people use
tools generally results in problem eventually. NTDLL.LIB is just any
other import library to the linker, and import libraries have no
IMAGE_OPTIONAL_HEADER, which is where the subsystem information is
located. Moreover, fundamentally, there is nothing to identify
‘ntdll.lib’ as THE ntdll.lib; anything can use that name. The linker
knows about references, which is all it needs to get its job done.

mm

xxxxx@yahoo.com wrote:

Thanks for your reply, Maxim S. Shatskih. I solved the problem. Replace the bufferoverflow.lib by bufferoverflowk.lib and remove ntdll.lib and the compiler works fine.

The reason I linked the kmode driver with ntdll.lib is when i linked with only wdmsec.lib, the linker display error of unresolved symbol xxxxx@4 in

ppregstate.obj and cmregutil.obj. So I added bufferoverflow.lib to
linker options. The compiler complains about _NtTerminateProcess
symbols, so I added ntdll.lib.

I suspected about this lib (ntdll in kmode ??) but why on earth does the
linker accept the lib ?

@mm: thanks a lot.

no problem.

mm
xxxxx@yahoo.com wrote:

@mm: thanks a lot.