'windows kernel driver and undocumented API
I try to use an undocumented API while developing a windows kernel driver. Please don't tell me this is not the best thing to do ;)
Anyway, the undocumented API is PsGetProcessPeb that i found with IDA into ntoskrnl.exe
I define the following structures:
- _PEB
- _PEB_LDR_DATA
- _LDR_DATA_TABLE_ENTRY
Also, I found that I have to define the function like:
NTKERNELAPI PPEB NTAPI PsGetProcessPeb(IN PEPROCESS Process);
The code (a part of) that I try to compile is:
PsLookupProcessByProcessId(ProcessId, &pProcess);
PPEB pPeb = PsGetProcessPeb(pProcess);
When i try to compile I get the following error code:
- LNK2019
- LNK1120: unresolved externals
The externals that is not resolved is PsGetProcessPeb
I guess that the linker doesn't find the function and doesn't know how to link.
The OS used to compile is Windows 10 build 19044 (x64) and I use Visual Studio 2019.
If you have any idea, please let me know.
Regards
Solution 1:[1]
The key to use an undocumented API is to find the API's address.
In kernelland, there is MmGetSystemRoutineAddress().
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmgetsystemroutineaddress
The MmGetSystemRoutineAddress routine returns a pointer to a function specified by SystemRoutineName.
Syntax
C++
PVOID MmGetSystemRoutineAddress(
[in] PUNICODE_STRING SystemRoutineName
);
Parameters
[in] SystemRoutineName
Specifies the name of the system routine to resolve.
Return value
If the function name can be resolved, the routine returns a pointer to the function. Otherwise, the routine returns NULL.
Remarks
Drivers can use this routine to determine if a routine is available on a specific version of Windows. It can only be used for routines exported by the kernel or HAL, not for any driver-defined routine.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | karel |