Error C2491: 'ZwMem' : definition of dllimport function not allowed_ RRS feed

  • Question

  • Hi, 

    I am attempting to block DLL & Code Injection which may origin from Userland (Ring3) via blocking\Filtering our specific PID (Process ID) from NtWriteVirtualMemory(). However when I create the callback  function: 

    NTSYSAPI NTSTATUS NTAPI ZwMem(IN HANDLE ProcessHandle,IN PVOID BaseAddress,IN PVOID Buffer,IN ULONG NumberOfBytesToWrite,OUT PULONG NumberOfBytesWritten OPTIONAL )
    		pushad ;save all current registers
            popad  ;Get all current registers back to original values
    	jmp	dwSysenterOriginalAddress ; Jump back to original SYSENTER_MSR

    VS2012 throws a error:

    Error C2491: 'ZwMem' : definition of dllimport function not allowed  

    Anyone have a slightest clue why this error is being raised

    Additionally, is Zw* functions completely different to Nt* functions OR are the both the same in Kernel? 

    Any help would be appreciated,

    Rohan Vijjhalwar

    Thursday, December 26, 2013 12:19 PM


All replies

  • NtXXX and ZwXXX are not the same in the kernel see 

    This looks like you are attempting to use SSDT hooking, if so forget it, it does not work for 64-bit and is totally unsafe for 32-bit.

    If you want to block someone doing nasty actions to a specific process look at ObRegisterCallbacks for a way to stop them from getting a handle to your process.

    Don Burn Windows Filesystem and Driver Consulting Website: Blog:

    Thursday, December 26, 2013 3:05 PM
  • Hi,

    Thanks for the clarification, however I have actually placed a hook on SYSENTER. I have used this SYSTEM CALL table to re route the system calls to their filters:

    So am I technically doing anything wrong here in terms of re-routing as I am re routing NT* function rather than ZW functions so my question now is. Does SYSENTER (In Kernel Mode) call ZW or NT? 

    As for your suggestion, I am not too sure on how to work with it nor on how to use it so for time being is it okay if I leave it or would you mind showing me a basis example of how to register my process with the ObRegisterCallback. 

    Looking forward for valuable reply, 


    Thursday, December 26, 2013 6:08 PM
  • That is even worse.  Quit now, or give us the name of your company and product so we can be sure to never allow a customer near it.  Get rid of this piece of crap now.

    Don Burn Windows Filesystem and Driver Consulting Website: Blog:

    Thursday, December 26, 2013 6:11 PM
  • Sorry, I have made a mistake - I will obviously change the "mistake" code. Thanks! Anyway it was not commercial nor professional. Just a test nothing much.

    Anyway may I ask what are the downfalls for SSDT hooks besides the security? 

    What would you suggest instead of SSDT hooking? 
    Thursday, December 26, 2013 7:14 PM