2

I've been working on this code for hours, and it is driving me crazy!

The entire source is here http://pastebin.com/Urxh68W4 but I'm pretty sure I know the problem.

extern "C" NTSYSAPI LONG NTAPI ZwUnmapViewOfSection(HANDLE, PVOID);

When I run it I get the following error:

Error 1 error LNK2019: unresolved external symbol __imp__ZwUnmapViewOfSection@8 referenced in function _wWinMain@16

I'm guessing that there is some dll or library I should be including so I added Ntoskrnl.lib into my project because it contains the ZwUnmapViewOfSection function.

I have absolutely no idea what to do. Should I have used the Ntdll.dll? If so, how do I even link a dll? I thought you could only use the libraries in Visual Studio 2010.

Also, what exactly is NTSYSAPI and NTAPI? There is hardly any information on the net.

Cœur
  • 37,241
  • 25
  • 195
  • 267
43.52.4D.
  • 950
  • 6
  • 14
  • 28
  • Most likely one is the calling convention and one is an export specification. – chris Mar 30 '13 at 03:07
  • Can you elaborate? You're being a little vague. – 43.52.4D. Mar 30 '13 at 03:08
  • It looks like you are trying to use a function from the kernel-mode API (for drivers) in a user-mode program. They don't go together. If you want information on the kernel-mode API then get the WDK (Windows Driver Kit). – rhashimoto Mar 30 '13 at 03:14
  • http://msdn.microsoft.com/en-us/library/windows/hardware/ff567119(v=vs.85).aspx says *Contained in Ntoskrnl.lib* so I'm not sure what your concern is. It also says the header is *Wdm.h (include Wdm.h, Ntddk.h, or Ntifs.h)*, but you're not including that in your sample code. If you don't have this file, you probably should get your hands on the WDK/DDK or whatever contains it. – ta.speot.is Mar 30 '13 at 03:33
  • @ta.speot.is you don't think I already tried that stuff? Using Ntoskml.lib doesn't fix the problem and when I tried including Wdm.h or the others, Visual Studio didn't even recognize them!!! – 43.52.4D. Mar 30 '13 at 03:45
  • *tried including Wdm.h or the others, Visual Studio didn't even recognize them!!!* Yeah, so download the DDK... – ta.speot.is Mar 30 '13 at 04:00
  • @ta.speot.is It's user-mode code... he shouldn't be trying to use ntosknrl or WDM, nor does he need to compile with the DDK (although it is an option). – mrduclaw Mar 30 '13 at 04:06
  • @mrduclaw Well perhaps he's using the wrong function then. From the documentation: *Note If the call to this function occurs in user mode, you should use the name "NtUnmapViewOfSection" instead of "ZwUnmapViewOfSection".* – ta.speot.is Mar 30 '13 at 04:16
  • 1
    @ta.speot.is sure. The Nt* variants are preferred by convention, but the Zw* calls are mapped to the Nt* calls in user-mode anyway. They only differ in the kernel. – mrduclaw Mar 30 '13 at 04:20

1 Answers1

5

This looks like user-mode code, so you'll likely not want to link against ntoskrnl.lib. You would rather link against ntdll.

The way I would probably do this is to use dynamic linking and call GetProcAddress passing in a HANDLE to ntdll.dll and ZwUnmapViewOfSection.

Example code:

typedef LONG (NTAPI *pfnZwUnmapViewOfSection)(HANDLE, PVOID);
HMODULE hMod = GetModuleHandle("ntdll.dll");
pfnZwUnmapViewOfSection pZwUnmapViewOfSection= (pfnZwUnmapViewOfSection)GetProcAddress(hMod, "ZwUnmapViewOfSection");

I haven't compiled this, but it should look something like that (maybe add some error checking, etc).

With regard to your other questions: NTAPI is a macro that defines the calling-convention, in this case __stdcall. The calling convention has to do with how the arguments to the function are passed, and who will be cleaning up those arguments.

For example, __stdcall requires the arguments to be pushed on the stack in reverse order and the callee will clean-up the stack.

Similarly, NTSYSAPI is a macro that just resolves to __declspec(dllimport) if I recall correctly.

Also, I should point out that calling functions exported by NtDll in user-mode is generally frowned upon. And, the code that you're writing will also have additional problems along the way (even after it appears to be working).

In case you're looking for another example of code that performs a very similar task to the one you're writing, you might check here. It was a technique used by the Duqu malware. Good luck!

mrduclaw
  • 3,965
  • 4
  • 36
  • 37
  • "if I recall correctly." lol seriously? You just know these things from the top of your head?! That's why I love SO, there are so many great programmers. My dad programs in VB.NET so he is never able to assist me with C++ DX – 43.52.4D. Mar 30 '13 at 03:35
  • Np man, glad I could be of help. And careful with that memory-resident code stuff. ;) – mrduclaw Mar 30 '13 at 03:42