MmLoadSystemImage & MmLoadAndLockSystemImage

NTDEV
1

Hi, are MmLoadSystemImage & MmLoadAndLockSystemImage exported from the kernel? I used these 2 routines in my driver. But I couldn’t build the driver, “unresolved externals” error. I defined the routine in my driver like

extern
NTKERNELAPI
NTSTATUS
MmLoadAndLockSystemImage (
IN PUNICODE_STRING ImageFileName,
IN PUNICODE_STRING NamePrefix OPTIONAL,
IN PUNICODE_STRING LoadedBaseName OPTIONAL,
OUT PVOID *Section,
OUT PVOID *ImageBaseAddress
);

It seems that these 2 routines are not exported from the kernel. Is there any way that I can use these 2 routines in my driver? Or is there any equivalent kernel API that I can use?

Thanks.

2

What are you trying to do? These have never been exported.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

“Michael Zhu” wrote in message news:xxxxx@ntdev…
> Hi, are MmLoadSystemImage & MmLoadAndLockSystemImage exported from the
> kernel? I used these 2 routines in my driver. But I couldn’t build the
> driver, “unresolved externals” error. I defined the routine in my driver
> like
>
> extern
> NTKERNELAPI
> NTSTATUS
> MmLoadAndLockSystemImage (
> IN PUNICODE_STRING ImageFileName,
> IN PUNICODE_STRING NamePrefix OPTIONAL,
> IN PUNICODE_STRING LoadedBaseName OPTIONAL,
> OUT PVOID *Section,
> OUT PVOID *ImageBaseAddress
> );
>
> It seems that these 2 routines are not exported from the kernel. Is there
> any way that I can use these 2 routines in my driver? Or is there any
> equivalent kernel API that I can use?
>
> Thanks.
>
>
>

3

Try ZwLoadDriver instead. It will also call DriverEntry for you and mark
the driver as loaded in the SC database.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Michael Zhu”
To: “Windows System Software Devs Interest List”
Sent: Thursday, September 14, 2006 6:55 PM
Subject: [ntdev] MmLoadSystemImage & MmLoadAndLockSystemImage

> Hi, are MmLoadSystemImage & MmLoadAndLockSystemImage exported from the
kernel? I used these 2 routines in my driver. But I couldn’t build the driver,
“unresolved externals” error. I defined the routine in my driver like
>
> extern
> NTKERNELAPI
> NTSTATUS
> MmLoadAndLockSystemImage (
> IN PUNICODE_STRING ImageFileName,
> IN PUNICODE_STRING NamePrefix OPTIONAL,
> IN PUNICODE_STRING LoadedBaseName OPTIONAL,
> OUT PVOID *Section,
> OUT PVOID *ImageBaseAddress
> );
>
> It seems that these 2 routines are not exported from the kernel. Is there any
way that I can use these 2 routines in my driver? Or is there any equivalent
kernel API that I can use?
>
> Thanks.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

4

To Don Burn: I know these 2 routines are not exported. But why M$ wants to hide this? In my point these 2 routines are just normal APIs.

To Max: ZwLoadDriver won’t work for me. I don’t want to load the driver. I just need an image of the driver. Actually before I call MmLoadAndLockSystemImage(), the driver may be already loaded. The reason I need this 2 routines is that I need to do something with the hibernation file and crash dump file.

Thanks for the reply.

5

Why do you think these are normal API’s? They are buried in the systen
with a lot of the support environment for them also not provided. So far
you are asking for hacking in the extreme, explain this terrible problem of
your so someone can perhaps suggest a real solution.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

wrote in message news:xxxxx@ntdev…
> To Don Burn: I know these 2 routines are not exported. But why M$ wants to
> hide this? In my point these 2 routines are just normal APIs.
>
> To Max: ZwLoadDriver won’t work for me. I don’t want to load the driver. I
> just need an image of the driver. Actually before I call
> MmLoadAndLockSystemImage(), the driver may be already loaded. The reason I
> need this 2 routines is that I need to do something with the hibernation
> file and crash dump file.
>
> Thanks for the reply.
>
>

6

>need an image of the driver. Actually before I call

MmLoadAndLockSystemImage(), the driver may be already loaded.

Yes, and this raises the issue that MM’s system image database has no
refcounts, so, when you will unload to undo your call, the main driver image
will be unmapped -> the BSOD.

I noticed this trying to create 2 SC database entries for the same driver
binary. If the DriverEntry of the second one fails (due to namespace conflict
creating the control device, for instance) - then the first image is unmapped
too -> the BSOD.

Dump and hiber paths use the prefixes “dump_” and “hiber_” (I think they are
provided to MmLoadSystemImage, but I can be wrong here) to name the system
image database entries. More so, the diskdump.sys binary is loaded as
“dump_scsiport.sys”, so that the “dump_miniport.sys” instance will resolve its
imports against diskdump and not scsiport.

diskdump.sys is a binary which provides the scsiport-compatible lower edge (so
the miniports can bind to it via import resolution) and the dump device upper
edge.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

7

Hi, Don, I want to make the OS treat my driver as the hibernation or crash dump driver. I’ve implemented this function. Right now each time the system hibernates or crashes, my driver’s DriverEntry() will be called. My problem is I need to redirect the hibernation file or crash dump file WRITE operation to the real hibernation or crash dump driver. So I need to call the real hibernation or crash dump driver’s DriverEntry point manually with the hibernation or dump stack context received by my driver. That is why I need MmLoadAndLockSystemImage(). Without this API is there any other way to do the same thing?

8

Hi, Max, you are absolutely right. I spent the last couple of days in picking up this knowledge. It is very interesting.

9

If you want to just look at an existing loaded driver, you can do that
by name. If you want to map it, the Mm routines for mapping files are
exported in the interface.

MS does not routinely export all internal OS functions. If you can make
a persuasive case for exporting these they’ll no doubt export them in a
future OS release (but I know it’s too late to get that level of change
in for Vista…)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.ca
Sent: Thursday, September 14, 2006 8:56 AM
To: ntdev redirect
Subject: RE:[ntdev] MmLoadSystemImage & MmLoadAndLockSystemImage

To Don Burn: I know these 2 routines are not exported. But why M$ wants
to hide this? In my point these 2 routines are just normal APIs.

To Max: ZwLoadDriver won’t work for me. I don’t want to load the driver.
I just need an image of the driver. Actually before I call
MmLoadAndLockSystemImage(), the driver may be already loaded. The reason
I need this 2 routines is that I need to do something with the
hibernation file and crash dump file.

Thanks for the reply.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer