How to use "LDRLoadDLL" to load a dll in DDK?
creative22
I'm writting a program in DDK for secure booting of windows XP.
I use NT-Native functions in kernel mode, but unfortunately there is not any
reference or example of using these functions!
I want to load some kernel mode dlls there(such as "hal.dll" in system32
folder) and use of "LDRLoadDLL" function whereas there is no good example of
it's usage!
I don't know how should I pass those dlls path address in the first input
argument of this function? when I set NULL in it, I get error to load some
kernel mode dll (Error such as "File not found" where it succeeds in loading
only "ntdll.dll"!) and also I don't know how should be the dll's "path"
format in first argument of function?
I've seen ntdll.dll's source code for this function, but the correct format
of path is some complex for me!!
Here is the ntdll's source including "LDRLoadDll" function:
http://source.winehq.org/source/dlls/ntdll/loader.c#L2007
I extremely hope you could help me!!!!
Thanks in Advance.
Ivan Brugiolo [MSFT]
used HAL, you can use MmGetSystemRoutineAddress.
It is worrisome that you expect the Loader code in NtDll to be the same
(and work the same way) as the loader code in NtOsKrnl.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"creative22" <creat...@discussions.microsoft.com> wrote in message
news:0470C495-28C2-4EAA...@microsoft.com...
creative22
> It is worrisome that you expect the Loader code in NtDll to be the >same (and work the same way) as the loader code in NtOsKrnl.
Yes, you're right. It only emulates the real source code and not the same,
but I would know something about "path" format in LDRLoadDll through it.
> In order to `discover` functions from NtOsKrnl and the currently
> used HAL, you can use MmGetSystemRoutineAddress.
I read MmGetSystemRoutineAddress documentation on the MSDN and found out it
only returns a pointer to "LDRLoadDll" for example, but I want to load a
kernel mode dll in DDK and don't know how the dll's path format is!
Could you help me about this?!
Regards.
Ivan Brugiolo [MSFT]
The only supported mechanism is through import-table
[driver A.sys has a load-time dependency towards B.sys]
and/or through supported port/miniport pairs.
To convince yourself, you can see that NtOsKrnl does not export any LdrXXX
function.
c:\>link -dump -exports %windir%\system32\ntoskrnl.exe | findstr /i Ldr
422 1A5 00110EA0 IoCallDriver = PoCallDriver
423 1A6 00110EA0 IoCallDriverStackSafe = PoCallDriver
639 27E 00060DA0 IofCallDriver = IofCallDriver
818 331 00370BD0 LdrAccessResource = LdrAccessResource
819 332 00356870 LdrEnumResources = LdrEnumResources
820 333 00360460 LdrFindResourceDirectory_U =
LdrFindResourceDirectory_U
821 334 00360480 LdrFindResourceEx_U = LdrFindResourceEx_U
822 335 003604C0 LdrFindResource_U = LdrFindResource_U
823 336 00433FA0 LdrResFindResource = LdrResFindResource
824 337 00433F10 LdrResFindResourceDirectory =
LdrResFindResourceDirectory
825 338 002B3630 LdrResSearchResource = LdrResSearchResource
1060 423 00110EA0 PoCallDriver = PoCallDriver
1611 64A 000F0CE0 VfFailDriver = VfFailDriver
c:\>link -dump -exports %windir%\system32\ntoskrnl.exe | findstr /i load
60 3B 000D2940 DbgLoadImageSymbols = DbgLoadImageSymbols
724 2D3 0022A2D0 KeLoaderBlock = KeLoaderBlockExported
1165 48C 003B6030 PsRemoveLoadImageNotifyRoutine =
PsRemoveLoadImageNotifyRoutine
1180 49B 003EB9B0 PsSetLoadImageNotifyRoutine =
PsSetLoadImageNotifyRoutine
1693 69C 00050BA0 ZwLoadDriver = ZwLoadDriver
1694 69D 00050BC0 ZwLoadKey = ZwLoadKey
1695 69E 00050C00 ZwLoadKeyEx = ZwLoadKeyEx
1794 701 00051FC0 ZwUnloadDriver = ZwUnloadDriver
1795 702 00051FE0 ZwUnloadKey = ZwUnloadKey
1796 703 00052020 ZwUnloadKeyEx = ZwUnloadKeyEx
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"creative22" <creat...@discussions.microsoft.com> wrote in message
news:F9E4FA48-A007-4599...@microsoft.com...
creative22
> The only supported mechanism is through import-table
> [driver A.sys has a load-time dependency towards B.sys]
> and/or through supported port/miniport pairs.
I don't know what are "import-table" and "port/miniport pairs"?
Could I ask you explain more about them?!
Thanks.
Maxim S. Shatskih
> folder) and use of "LDRLoadDLL" function whereas there is no good example of
> it's usage!
Disassemble kernel32!LoadLibraryExW, it is simple.
> Here is the ntdll's source including "LDRLoadDll" function:
> http://source.winehq.org/source/dlls/ntdll/loader.c#L2007
This is a remake and not the Windows code.
--
Maxim S. Shatskih
Windows DDK MVP
ma...@storagecraft.com
http://www.storagecraft.com
Maxim S. Shatskih
ZwLoadDriver
Doron Holan [MSFT]
LoadLibrary/FreeLibrary in user mode. the Zw versions are not ref couunted,
while the user mode ones are. this means that ZwLoadDriver will fail if the
module is already loaded and ZwUnloadDriver does not take into account any
oustanding references or calls into the driver so you can easily remove an
image from memory that is still running or referenced by another component.
d
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Maxim S. Shatskih" <ma...@storagecraft.com.no.spam> wrote in message
news:#HZR81BK...@TK2MSFTNGP03.phx.gbl...