locked
Mirror driver does not load when referencing HAL functions RRS feed

  • Question

  • Hi, 

    I am adding private data synchronization to a mirror driver. The driver does not seem to load properly when I reference HAL functions: 

       KeAcquireSpinLock
       KeReleaseSpinLock
       KeQueryPerformanceCounter

    If I remove the references, the driver loads and works ok. Are there any special rules related to the use of HAL.lib library? 
    The library is specified in sources file as the following:

       TARGETLIBS= $(SDK_LIB_PATH)\libcntpr.lib $(SDK_LIB_PATH)\hal.lib


    Thank you in advance, 

    Dmitry Shkuropatsky
    Wednesday, August 31, 2011 8:19 PM

Answers

  • GDI restricts which libraries you can statically link against.  You can get around it by calling EngLoadImage,  You probably won't be able to load NTOSKRNL or the HAL, but you can create your own kernel-mode DLL which does call those routines.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting.
    Thursday, September 1, 2011 5:30 AM

All replies

  • What do you mean "reference HAL function"? Do you use these functions?

    It would be possible that you don't correctly using the functions. Try to debug the code which uses the functions. 

     

    Igor Sharovar

    Wednesday, August 31, 2011 9:11 PM
  • these are all entry points from the kernel, not hal
    d -- This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, September 1, 2011 5:08 AM
  • GDI restricts which libraries you can statically link against.  You can get around it by calling EngLoadImage,  You probably won't be able to load NTOSKRNL or the HAL, but you can create your own kernel-mode DLL which does call those routines.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting.
    Thursday, September 1, 2011 5:30 AM
  • Dmitry Shkuropatsky wrote:
    >
    >I am adding private data synchronization to a mirror driver. The driver
    >does not seem to load properly when I reference HAL functions: 
    >   KeAcquireSpinLock    KeReleaseSpinLock    KeQueryPerformanceCounter
    >If I remove the references, the driver loads and works ok. Are there
    >any special rules related to the use of HAL.lib library?
     
    No, but there are special rules for GDI drivers.  GDI drivers (including
    mirror drivers) may not refer to any APIs except those exposed by
    win32k.sys.
     
    You can use __rdtsc instead of KeQueryPerformanceCounter.  You may have to
    invent your own locking, but remember that GDI calls are serialized.
    --
    Tim Roberts, timr@probo.com
    Providenza & Boekelheide, Inc.
     

    Tim Roberts, DDK MVP Providenza & Boekelheide, Inc.
    Friday, September 2, 2011 3:44 AM
  • I was able to load ntoskrnl.exe with EngLoadImage and find those functions using EngFindImageProcAddress. 

    Thanks,
    Dmitry


    Monday, October 3, 2011 3:57 PM