tags:

views:

21

answers:

2
+1  Q: 

How to link to NTQueryKey in Kernel Mode

For the life of me I can't figure out how to resolve the declared NTQueryKey value in my device driver. I looked for a device driver forum, but didn't find one.

Can someone point me to the right place? OSR isn't very responsive with dumb questions like how to link to NTQueryKey.

Here is my prototype:

NTSYSAPI NTSTATUS NTAPI NtQueryKey(HANDLE, KEY_INFORMATION_CLASS, PVOID, ULONG, ULONG *);

and it compiles fine, but the linker doesn't like it.

Thanks

A: 

In kernel mode you link to the Zw.... equivalent functions. See Here. NT.... functions are called from user mode (for example the Win32 subsystem would call the NT... functions).

Preet Sangha  2010-10-13 02:27:26
I'm trying to use ZwQueryKey but I'm getting an STATUS_INVALID_HANDLE. All I'm trying to do is get the key name on a Windows 2003 machine in a PostCreateOpenKeyEx routine.
Iunknown  2010-10-14 02:17:59
For completeness, a full discussion of the differences between the Nt and Zw variants is here: http://www.osronline.com/article.cfm?id=257.
snoone  2010-10-22 14:40:00
+1  A: 

NtXXXX functions should not be called from kernel mode. Use the ZwXXXX functions instead. In your case, you want ZwQueryKey. It has the same signature as NtQueryKey, but it performs actions on the x86 required for talking with kernel mode, and it's provided by ntoskrnl.exe rather than by ntdll.dll.

Billy ONeal  2010-10-13 02:27:35
The problem I have is I'm trying to open a user mode key. First I try ZwQueryKey and I get the error Invalid Handle, which I figured meant I need to use NTQueryKey.
Iunknown  2010-10-14 02:14:34
@kunknown: What do you mean by user mode key? ZwQueryKey is the exact same function as NtQueryKey with respect to how it works. The only difference is that NtQueryKey does a bunch of syscall crap.
Billy ONeal  2010-10-14 02:15:49
With a little help from OSR, I think I found the problem. I misunderstood the a "A pointer to the registry key object" is not a pointer to a handle. Trying ObOpenObjectByPointer now.
Iunknown  2010-10-14 16:15:32

related questions

Windows Driver Kit: swap buffers
How can I compile Programmer Dvorak?
WDK (Windows Driver Kit) and VC++ headers problem
Print Job Accepting and routing Software
Port 32-Bit Windows driver to 64-Bit Windows
windows I/O manager - IRP's classification in read-like and write-like
microsoft windows driver kit pure C try catch syntax ?
WDK build-process hooks: need incremental build with auto-versioning
Microsoft Driver Verifier
Trouble installing sample portio driver from winDDK
How can WDK programmatically restart a video/display driver?
Is anyone familiar with the undocumented ObReferenceObjectByName windows kernel function?
jsp tag library changes checkbox name?
Programmatically differentiating between USB Floppy Drive and USB Flash Drive in Windows
Install device driver silently on Windows XP
Warning linking boost lib in WDK build ("LNK4217: locally defined symbol _ imported in function _")
Raw PDO to send IOCTL to upper filter driver (kbfiltr/moufiltr) to enable/disable device
Print server - want to catch print command
Windows 7 Driver for Print to XPS
Sniffing LPT Traffic
Using boost in WDK build environment for applications?
Add or extend file system support under windows
Is it possible to make Microsoft build.exe include sources from remote directories?
How do you build the Windows D3D9 refrast from source?
Assembler file as input for a driver build with the WDK tools