Sorry, I sent the reply too soon. While it is available for linking, I
did not try to load the driver. But looking in WinDbg it is there in a
Win7 system so at the very least you should be able to use
MmGetSystemRoutineAddress() to grab a pointer to the function.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: “PScott” To: “Windows System Software Devs Interest List” Sent: 8/14/2017 5:26:57 PM Subject: Re: [ntdev] ZwProtectVirtualMemory
> >I just built a driver for Win 7 x64 which calls this function and the >function is available. The prototype is not so you need to define it >yourself but the function is exported. > >Pete > >– >Kernel Drivers >Windows File System and Device Driver Consulting >www.KernelDrivers.com >866.263.9295 > >------ Original Message ------ >From: xxxxx@gmail.com >To: “Windows System Software Devs Interest List” >Sent: 8/14/2017 11:07:24 AM >Subject: [ntdev] ZwProtectVirtualMemory > >>I have a driver that I need to make compatible with Windows 7. The >>only issue I’m running into now is the use of ZwProtectVirtualMemory. >>It is not exported in Windows 7 but is with Win 8.1 and 10 (didn’t >>test Windows 8). >> >>I can’t move the protection code to a service because it may need to >>be called at boot before any service is loaded. So are there any >>options to get this same capability with Windows 7 without searching >>for code signatures or using hard coded offsets? >> >>— >>NTDEV is sponsored by OSR >> >>Visit the list online at: >>http: >> >>MONTHLY seminars on crash dump analysis, WDF, Windows internals and >>software drivers! >>Details at http: >> >>To unsubscribe, visit the List Server section of OSR Online at >>http: ></http:></http:></http:>
Pete, saw you follow up about “available for linking but not loading” and I actually just tried your initial suggestion. Fltmc throws:
Load failed with error: 0x8007007f
The specified procedure could not be found.
and Depends shows an error. MmGetSystemRoutineAddress also returns NULL but it is strange that WinDbg can resolve it. I guess through symbols?
So I’ll try Anton suggestion with calling via system index. For x86 I’m assuming I can just copy the existing stub with inline ASM but not quite sure how do it on x64. Is there a non-hackish way to call service indexes directly?
No… Zw means that the function is invoked via the “normal” syscall mechanism, with setting the previous mode to that of the caller. The Nt prefix is the actual name of the function itself in the code… so it’s called directly by ordinary function call/return.
> No… Zw means that the function is invoked via the “normal” syscall mechanism,
with setting the previous mode to that of the caller. The Nt prefix is the actual name
of the function itself in the code… so it’s called directly by ordinary function call/return.
Fair enough - I was sort of imprecise, because, in actuality, both Zw and Nt forms are exported via ntoskrnl.exe’s IAT. I guess it would be better for me simply to say " A call to Zw function call goes through the system dispatcher, while Nt one is just a regular function call that calls a function directly"…
The Nt version of ZwProtectVirtualMemory doesn’t exist (in the export table of the kernel).
On Windows 7, ZwProtectVirtualMemory is not exported. That is why ZwProtectVirtualMemory is not present in the NTOSKRNL.LIB file for Windows 7 and MmGetSystemRoutineAddress fails.
Dumpbin is very useful because it can be used with .LIB files. I don’t know if D?pends can be used with .LIB files.