从用户模式访问 Windows Native API
我对 Windows Native API 很好奇。我一直在网上搜索,但未能找到从用户模式调用 Native API 函数的示例。我相信我已经基本掌握了这意味着什么 - 具体来说,我必须在程序中定义常量和本机 API 函数,并使用 GetProcAddress 在 ntdll.dll 中查找该函数,然后调用该函数。
这是正确的吗?有人能引导我走向正确的方向吗?示例代码会让我很高兴,因为我完全找不到它。
我在这里遇到了这段代码( http://www. Eggheadcafe.com/software/aspnet/31520494/native-application--ntc.aspx ),但在我看来,它旨在在内核模式下运行:
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING szPath = {0};
OBJECT_ATTRIBUTES Attr = {0};
IO_STATUS_BLOCK IoStatusBlock = {0};
HANDLE hBeep = 0;
RtlInitUnicodeString(&szPath, L"\\??\\C:\\A.TXT");
InitializeObjectAttributes(&Attr, &szPath, 0, NULL, NULL);
ntStatus = NtCreateFile(&hBeep, GENERIC_READ, &Attr, &IoStatusBlock, NULL,
0, FILE_SHARE_READ, FILE_OPEN, 0, NULL, 0);
if (hBeep != NULL)
{
NtClose(ntStatus);
如何修改此代码以在用户模式下运行模式?我正在使用 c++ 工作,正如您此时可能已经猜到的那样。
提前致谢。
I'm quite curious about the Windows Native API. I have been searching around the net and have failed to find an example of calling a Native API function from user-mode. I believe I have a basic grasp of what this entails - specifically, I have to define constants and the native API function in my program, and use GetProcAddress to find the function in ntdll.dll, and then call the function.
Is this correct, and can anyone steer me in the right direction? Sample code would make my day, as I can find absolutely none of it.
I came across this code here ( http://www.eggheadcafe.com/software/aspnet/31520494/native-application--ntc.aspx ), but it seems to me that it is intended to operate in kernel mode:
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING szPath = {0};
OBJECT_ATTRIBUTES Attr = {0};
IO_STATUS_BLOCK IoStatusBlock = {0};
HANDLE hBeep = 0;
RtlInitUnicodeString(&szPath, L"\\??\\C:\\A.TXT");
InitializeObjectAttributes(&Attr, &szPath, 0, NULL, NULL);
ntStatus = NtCreateFile(&hBeep, GENERIC_READ, &Attr, &IoStatusBlock, NULL,
0, FILE_SHARE_READ, FILE_OPEN, 0, NULL, 0);
if (hBeep != NULL)
{
NtClose(ntStatus);
How could this code be modified to operate in user-mode? I'm working in c++, as you probably have surmised by this point.
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
NtCreateFile() 已经是一个用户模式函数。驱动程序版本是ZwCreateFile()。事实上已记录,声明是可在 Winternl.h SDK 头文件中找到。然而缺少的是 ntdll.dll 的导入库,您必须使用 LoadLibrary 和 GetProcAddress 来获取该函数的入口点。
除了调用它的麻烦之外,通常需要注意的是,这些本机 API 函数可能会在下一版本的 Windows 中更改,恕不另行通知。
NtCreateFile() is already a user-mode function. The driver version is ZwCreateFile(). It is in fact documented, the declaration is available in the winternl.h SDK header file. What's missing however is the import library for ntdll.dll, you have to use LoadLibrary and GetProcAddress to get the entrypoint for the function.
Other than the trouble of calling it, the usual caveat is that these native API functions can change without notice in the next version of Windows.
我不太喜欢使用未记录的 API,但有时您需要执行 Win32 API 未公开的操作。一些本机 API 已在 MSDN 上记录(可能是由于前一段时间的解决)。我通常使用 NTinternals.net 上的参考,尽管它有一段时间没有更新并且它使用一个糟糕的 Java 导航小程序。 The Code Project 等地方可能有一些代码示例。
I'm not a big fan of using undocumented APIs, but occasionally you need to do something that isn't exposed by the Win32 API. Some of the native API has been documented on MSDN (probably due to the settlement a while back). I usually use the reference at NTinternals.net, though it hasn't been updated in a while and it uses a terrible Java applet for navigation. There are probably some code examples on places like The Code Project et al.