Link Error when Compile c program without kernel32.lib

Question

I'm want to Create App that just use ntdll and use security check for it. but when I remove kernel32.lib or uncheck "inherit from parent or project defaults" I get link errors when I build my project. Link Errors

#include <Windows.h>
#include <processthreadsapi.h>
#include <vcruntime.h>
ULONG WINAPI NtGetCurrentProcessorNumber(void);
void main()
{
    int a = 2;
    int b = 5;
    int sum = a + b;
    int Number = NtGetCurrentProcessorNumber();
    while (1)
    {

    }
}

void NtProcessStartup(PVOID DriverObject, PVOID RegistryPath)
{
    __security_init_cookie();
    //__security_check_cookie();
    main();
}

this is a Native Project and work fine when I Remove "Security check" Switch in compiler settings and remove "__security_init_cookie" Function. this project linked to ntdll.lib

Can anyone help me?

score 0 · Answer 1 · answered Feb 12 '21 at 13:26

0

When you use security checks __security_xx functions are linked to your module. The linker errors are saying that gs_support.obj (where __security_xx functions reside), requires QueryPerformanceCounter and other listed functions. QueryPerformanceCounter resides in kernel32, so you need to link with it when using security checks.

answered Feb 12 '21 at 13:26

nevilad

932
1
7
14

thanks for you answer. but some process like smss.exe or csrss.exe and ... use __security_xx functions without linking to kernel32.dll. I want to create a process like this. – aliMahdavi Feb 12 '21 at 14:55
I've disassembled csrss.exe of a windows 7 and windows 10 and didn't found that they use canaries (no __security_xx functions and no xor esp/rsp, x in function prologs). Where did you found an csrss that uses canaries? – nevilad Feb 13 '21 at 08:50
I found them in the latest Windows 10 update in both x86 and x64. – aliMahdavi Feb 13 '21 at 22:43
Yes the latest win10 csrss contains __security_xx functions. These functions are similar to the common ones except __security_init_cookie_ex. This function uses a different than the common cookie initialization algorithm - it does not use QueryPerformanceCounter and other kernel32 functions. You can build your own static library whith the code from these functions, export these and link it to your binary. You also should find a way to remove msvcrt.lib dependency - add it to ignored libs. – nevilad Feb 18 '21 at 19:20

Link Error when Compile c program without kernel32.lib

1 Answers1