挂接到ntdll.lib并在ntdll.dll中调用函数 [英] LInk to ntdll.lib and call functions inside ntdll.dll
问题描述
我最近正在研究私有API。我试图使用 LoadLibrary 和 GetProcAddress NtOpenFile 之类的函数。 code>在运行时。幸运的是,它成功了。今天早上,我在计算机上执行了文件搜索,并在C驱动器中找到了 ntdll.lib 。据我所知,此类.lib文件应包含可用于链接的dll导出的存根。因此,我尝试将应用程序链接到该库,但我不断遇到无法解析的外部符号错误。但是, dumpbin / EXPORTS 显示ntdll.lib显然已导出NtOpenFile。我该如何解决该错误?
I'm recently doing some research on private APIs. I tried to call functions such as NtOpenFile in ntdll.dll with LoadLibrary and GetProcAddress at runtime. Luckly, it succeed. This morning I performed a file search on my computer and find ntdll.lib in my C drive. As far as I know of, such .lib file should contain stubs for dll exports available for linking. So, I tried to link my application to that lib but I'm constantly getting unresolved external symbol errors. However, a dumpbin /EXPORTS shows that ntdll.lib clearly has NtOpenFile exported. How could I resolve this error?
推荐答案
问题是库中记录的函数名称以及生成的函数名称
dumpbin 仅向您显示基本导出的符号 NtOpenFile (未经修饰的一个) ,但是还有一个导入符号 __ imp_NtOpenFile 。
现在,如果您尝试静态链接 NtOpenFile 声明为:
The problem is the name of the function as recorded in the library and as it is generated from compiler.
dumpbin just shows you the base exported symbol NtOpenFile (the undecorated one), but there is also a import symbol __imp_NtOpenFile.
Now if you try to link statically NtOpenFile declaring it as:
NTSTATUS NtOpenFile(
_Out_ PHANDLE FileHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG ShareAccess,
_In_ ULONG OpenOptions
);
编译器将为 __ stdcall 生成函数在32位下使用,符号 _NtOpenFile @ 24 ,如果我没有错误地计算调用参数的字节大小,那显然不在库中。
这是由于ntdll.lib打算在DDK下用于驱动程序开发,在此情况下编译器会生成未修饰的符号。
为了阐明概念,请使用以下命令打开ntdll.lib文件:二进制编辑器并查找 NtOpenFile ,您将只看到它和导入版本 __ imp_NtOpenFile 。现在打开一个名为gdi32.lib的标准库,仅举一个例子,并搜索 CreateDIBSection ,您会发现一个 _CreateDIBSection @ 24 以及 __ imp__CreateDIBSection @ 24 。
这是怎么回事?简单的dumpbin总是显示未修饰的名称,但是编译器会生成修饰的名称,结果:链接器失败。据说名称使用 PASCAL 约定,与 __ stdcall 相同,但不修饰符号(即阅读此 https://msdn.microsoft.com/ zh-cn / library / aa235591(v = vs.60).aspx )。
有解决问题的方法吗?是的,您必须创建自己的导入库,为具有正确修饰的所需函数分配别名。开始阅读此 https://msdn.microsoft.com/en-us/library/ 0b9xe492.aspx 。
The compiler will generate, for a __stdcall function under 32bits, the symbol _NtOpenFile@24, if I'm not wrong counting the bytes size of call arguments, that obviously is not in the library.
This is due to the fact that ntdll.lib is intended to be used under DDK for drivers development, where the compiler generates undecorated symbols.
To clarify the concept open the ntdll.lib file with a binary editor and look for NtOpenFile, you will see only it and the import version __imp_NtOpenFile. Now open a standar library as gdi32.lib, just to name one, and search for CreateDIBSection you'll find a _CreateDIBSection@24 and also __imp__CreateDIBSection@24.
So what's going on? Simple dumpbin shows always the undecorated names, but the compiler generates decorated ones, result: the linker fails. It is said that names use PASCAL convention, that is the same as __stdcall, but doesn't decorate symbols (i.e. read this https://msdn.microsoft.com/en-us/library/aa235591(v=vs.60).aspx).
There is a way to solve the problem? Yes you have to create your own import library assigning an alias to the wanted function having the correct decorations. Start reading this https://msdn.microsoft.com/en-us/library/0b9xe492.aspx.
这篇关于挂接到ntdll.lib并在ntdll.dll中调用函数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
