I am trying to call the internal Windows NT API function NtOpenProcess. I know calling internal APIs can be a bad idea, but for this particular tool I need the low-level access this API provides.
My problem is that to use such an internal API, I need to use Runtime Dynamic Linking, as specified in this article
To do that, I need to define a function pointer to NtOpenProcess. Here's my declaration:
typedef NTSTATUS (NTAPI *_NtOpenProcess) (
OUT PHANDLE,
IN ACCESS_MASK,
IN POBJECT_ATTRIBUTES,
IN PCLIENT_ID OPTIONAL);
class procManager
{
HINSTANCE hNTDLL;
public:
procManager()
{
hNTDLL = LoadLibrary(L"ntdll.dll");
if (!hNTDLL)
throw std::runtime_error("NTDLL.DLL failure.");
_NtOpenProcess NtOpenProcess;
NtOpenProcess = reinterpret_cast <_NtOpenProcess> (GetProcAddress(hNTDLL, L"NtOpenProcess"));
if (!NtOpenProcess)
throw std::runtime_error("NtOpenProcess not found.");
//Use NTOpenProcess for stuff here
};
~procManager()
{
FreeLibrary(hNTDLL);
};
};
Problem is, apparently there is an error in my typedef above. The compiler returns:
error C2059: syntax error : '__stdcall'
I used the handy dandy "Go To Definition" feature of my IDE (Visual Studio 2008) and found that NTAPI in the declaration is defined as __stdcall.
Unfortunately, removing NTAPI from my declaration, making it this:
typedef NTSTATUS (*_NtOpenProcess) (
OUT PHANDLE,
IN ACCESS_MASK,
IN POBJECT_ATTRIBUTES,
IN PCLIENT_ID OPTIONAL);
results in another error:
error C2065: '_NtOpenProcess' : undeclared identifier
At this point I'm saying "Of course it's undefined, that's why it's a typedef!"
Does anyone see my error in the declaration?