Question

I made a library for mapping into a memory address any PE format file, the thing is i did it only user land, using Visual Studio 2013 with standar .lib format. Does this means that my library cant be used inside a device driver?

For example i have the following snippet:

    HMODULE ntdllmod = LoadLibraryA("ntdll.dll");
    if (ntdllmod)
    {
        ZwQueryInformationProcess func = (ZwQueryInformationProcess)GetProcAddress(ntdllmod, "ZwQueryInformationProcess");
    }

This works well on user land, but on kernel i dont need to call GetProcAddress, i just can call ZwQueryInformationProcess directly, since its a ntoskrnl export... Cant i just do this for example?:

#IF USER_LAND
   HMODULE ntdllmod = LoadLibraryA("ntdll.dll");
   if (ntdllmod)
   {
       ZwQueryInformationProcess func = (ZwQueryInformationProcess)GetProcAddress(ntdllmod, "ZwQueryInformationProcess");
   }
#elif KERNEL_MODE
   //Run my Kernel version code here.

If this is not possible then how i can build a device driver library in VS2013? (cant find the option) Also any guide or reference for knowing how to link drivers library would help, assuming its different than a normal library.

EDIT: I already know about using ZwQueryInformationProcess, the question is if i can use the preprocessor directive #IF to generate a driver library or a user mode library and having both implementations in the same solution.

Thanks.

Was it helpful?

Solution 2

Yes, you can use #if to produce different code where necessary. You will probably have to define your own -D or #define to control whether the library is "kernel" or "user mode".

It is often best to separate out the "functions that aren't generic" into one or a few modules (and including the files, say "usermode-stuff.c" and "kernel-stuff.c", respectively as part of the project source files), where the same type of function is declared for generic use. This avoids having a huge number of #if KERNEL_MODE all over the code, which can get quite messy after a while.

Obviously, that in itself doesn't necessarily mean that you can do all the things you need, or that your project can be achieved - there isn't enough details in your question to answer that.

OTHER TIPS

I would explain about only ZwQueryInformationProcess function's case. ZwQueryInformationProcess is already exported by ntoskrnl.exe , and then you can use it easily.

  1. include header file.

ex) #include "ntddk.h"

  1. or declare ZwQueryInformationProcess ex)

NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess( IN HANDLE ProcessHandle, IN ULONG ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL);

  1. add ntoskrnl.lib at sources file.

  2. finally, you can use it. that's it.

ex)

ULONG GetProcessID(HANDLE ProcessHandle, PPEB* ppPeb )
{
    NTSTATUS Status;
    PROCESS_BASIC_INFORMATION ProcInfo;

    Status = ZwQueryInformationProcess(ProcessHandle, ProcessBasicInformation, &ProcInfo, sizeof(ProcInfo), NULL);
    if (STATUS_SUCCESS == ntStatus) {
        if (ppPeb) {
            *ppPeb = ProcInfo.PebBaseAddress;
        }
        return ProcInfo.UniqueProcessId;
    }
    return 0;
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top