none
Error C2491: 'ZwMem' : definition of dllimport function not allowed_ RRS feed

  • Question

  • Hi, 

    I am attempting to block DLL & Code Injection which may origin from Userland (Ring3) via blocking\Filtering our specific PID (Process ID) from NtWriteVirtualMemory(). However when I create the callback  function: 

    NTSYSAPI NTSTATUS NTAPI ZwMem(IN HANDLE ProcessHandle,IN PVOID BaseAddress,IN PVOID Buffer,IN ULONG NumberOfBytesToWrite,OUT PULONG NumberOfBytesWritten OPTIONAL )
    {
    	__asm
    	{
    		pushad ;save all current registers
    	}
    	__asm
    	{
            popad  ;Get all current registers back to original values
    	jmp	dwSysenterOriginalAddress ; Jump back to original SYSENTER_MSR
    	}
    }

    VS2012 throws a error:

    Error C2491: 'ZwMem' : definition of dllimport function not allowed  

    Anyone have a slightest clue why this error is being raised

    Additionally, is Zw* functions completely different to Nt* functions OR are the both the same in Kernel? 

    Any help would be appreciated,

    Rohan Vijjhalwar



    Thursday, December 26, 2013 12:19 PM

Answers

All replies

  • NtXXX and ZwXXX are not the same in the kernel see http://www.osronline.com/article.cfm?article=257 

    This looks like you are attempting to use SSDT hooking, if so forget it, it does not work for 64-bit and is totally unsafe for 32-bit.

    If you want to block someone doing nasty actions to a specific process look at ObRegisterCallbacks http://msdn.microsoft.com/en-us/library/windows/hardware/ff558692(v=vs.85).aspx for a way to stop them from getting a handle to your process.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Thursday, December 26, 2013 3:05 PM
  • Hi,

    Thanks for the clarification, however I have actually placed a hook on SYSENTER. I have used this SYSTEM CALL table to re route the system calls to their filters:

    http://theundead.atspace.com/Blog/Windows%20System%20Calls.htm

    So am I technically doing anything wrong here in terms of re-routing as I am re routing NT* function rather than ZW functions so my question now is. Does SYSENTER (In Kernel Mode) call ZW or NT? 

    As for your suggestion, I am not too sure on how to work with it nor on how to use it so for time being is it okay if I leave it or would you mind showing me a basis example of how to register my process with the ObRegisterCallback. 

    Looking forward for valuable reply, 

    Rohan 


    Thursday, December 26, 2013 6:08 PM
  • That is even worse.  Quit now, or give us the name of your company and product so we can be sure to never allow a customer near it.  Get rid of this piece of crap now.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Thursday, December 26, 2013 6:11 PM
  • Sorry, I have made a mistake - I will obviously change the "mistake" code. Thanks! Anyway it was not commercial nor professional. Just a test nothing much.

    Anyway may I ask what are the downfalls for SSDT hooks besides the security? 

    What would you suggest instead of SSDT hooking? 
    Thursday, December 26, 2013 7:14 PM