I'm recently doing some research on private APIs. I tried to call functions such as NtOpenFile in ntdll.dll with LoadLibrary and GetProcAddress at runtime. Luckly, it succeed. This morning I performed a file search on my computer and find ntdll.lib in my C drive. As far as I know of, such .lib file should contain stubs for dll exports available for linking. So, I tried to link my application to that lib but I'm constantly getting unresolved external symbol errors. However, a dumpbin /EXPORTS shows that ntdll.lib clearly has NtOpenFile exported. How could I resolve this error?
The problem is the name of the function as recorded in the library and as it is generated from compiler.
dumpbin just shows you the base exported symbol NtOpenFile (the undecorated one), but there is also a import symbol __imp_NtOpenFile. Now if you try to link statically NtOpenFile declaring it as:
NTSTATUS NtOpenFile(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG ShareAccess,
_In_ ULONG OpenOptions
);
The compiler will generate, for a __stdcall function under 32bits, the symbol _NtOpenFile@24, if I'm not wrong counting the bytes size of call arguments, that obviously is not in the library. This is due to the fact that ntdll.lib is intended to be used under DDK for drivers development, where the compiler generates undecorated symbols.
To clarify the concept open the ntdll.lib file with a binary editor and look for NtOpenFile, you will see only it and the import version __imp_NtOpenFile. Now open a standar library as gdi32.lib, just to name one, and search for CreateDIBSection you'll find a _CreateDIBSection@24 and also __imp__CreateDIBSection@24.
So what's going on? Simple dumpbin shows always the undecorated names, but the compiler generates decorated ones, result: the linker fails. It is said that names use PASCAL convention, that is the same as __stdcall, but doesn't decorate symbols (i.e. read this https://msdn.microsoft.com/en-us/library/aa235591(v=vs.60).aspx).
There is a way to solve the problem? Yes you have to create your own import library assigning an alias to the wanted function having the correct decorations. Start reading this https://msdn.microsoft.com/en-us/library/0b9xe492.aspx.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments