我尝试在开发Windows内核驱动程序时尝试使用无证件的API。请不要告诉我这不是最好的事情;)
无论如何,我在ntoskrnl.exe中发现的无证件的API是 psgetProcesspeb ,
我定义了以下结构:
- _peb _peb
- _peb_ldr_ldr_data
- _ldr_data _ldr_ldr_data_data_tata_tapable_entry
也是我发现我必须定义以下函数:
NTKERNELAPI PPEB NTAPI PsGetProcessPeb(IN PEPROCESS Process);
我尝试编译的代码(一个部分)是:
PsLookupProcessByProcessId(ProcessId, &pProcess);
PPEB pPeb = PsGetProcessPeb(pProcess);
当我尝试编译时,我会得到以下错误代码:
未解决的外部是< strong> psgetProcesspeb
我想链接器找不到该功能,也不知道如何链接。
用于编译的操作系统是Windows 10 Build 19044(x64),我使用Visual Studio 2019。
如果您有任何想法,请告诉我。
问候
I try to use an undocumented API while developing a windows kernel driver. Please don't tell me this is not the best thing to do ;)
Anyway, the undocumented API is PsGetProcessPeb that i found with IDA into ntoskrnl.exe
I define the following structures:
- _PEB
- _PEB_LDR_DATA
- _LDR_DATA_TABLE_ENTRY
Also, I found that I have to define the function like:
NTKERNELAPI PPEB NTAPI PsGetProcessPeb(IN PEPROCESS Process);
The code (a part of) that I try to compile is:
PsLookupProcessByProcessId(ProcessId, &pProcess);
PPEB pPeb = PsGetProcessPeb(pProcess);
When i try to compile I get the following error code:
- LNK2019
- LNK1120: unresolved externals
The externals that is not resolved is PsGetProcessPeb
I guess that the linker doesn't find the function and doesn't know how to link.
The OS used to compile is Windows 10 build 19044 (x64) and I use Visual Studio 2019.
If you have any idea, please let me know.
Regards
发布评论
评论(1)
使用无证件API的关键是找到API的地址。
在内内兰德,有mmgetSystemRoutineadDress()。
mmgetsystemneRoutineadDress例程将指针返回到由SystemRoutIneName 。语法
c ++
参数
指定要解决的系统例程的名称。
返回值
如果可以解决函数名称,则例程将返回指向该函数的指针。否则,例程将返回null。
备注
驱动程序可以使用此例程来确定特定版本的Windows上是否有例程。它只能用于由内核或HAL导出的例程,而不是用于任何驾驶员定义的例程。
The key to use an undocumented API is to find the API's address.
In kernelland, there is MmGetSystemRoutineAddress().
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmgetsystemroutineaddress
The
MmGetSystemRoutineAddressroutine returns a pointer to a function specified bySystemRoutineName.Syntax
C++
Parameters
Specifies the name of the system routine to resolve.
Return value
If the function name can be resolved, the routine returns a pointer to the function. Otherwise, the routine returns NULL.
Remarks
Drivers can use this routine to determine if a routine is available on a specific version of Windows. It can only be used for routines exported by the kernel or HAL, not for any driver-defined routine.