I am trying to call the internal Windows NT API function NtOpenProcess. I know calling internal APIs can be a bad idea, but for this particular tool I need the low-level access this API provides.
My problem is that to use such an internal API, I need to use Runtime Dynamic Linking, as specified in this article
To do that, I need to define a function pointer to NtOpenProcess. Here's my declaration:
typedef NTSTATUS (NTAPI *_NtOpenProcess) (
OUT PHANDLE,
IN ACCESS_MASK,
IN POBJECT_ATTRIBUTES,
IN PCLIENT_ID OPTIONAL);
class procManager
{
HINSTANCE hNTDLL;
public:
procManager()
{
hNTDLL = LoadLibrary(L"ntdll.dll");
if (!hNTDLL)
throw std::runtime_error("NTDLL.DLL failure.");
_NtOpenProcess NtOpenProcess;
NtOpenProcess = reinterpret_cast <_NtOpenProcess> (GetProcAddress(hNTDLL, L"NtOpenProcess"));
if (!NtOpenProcess)
throw std::runtime_error("NtOpenProcess not found.");
//Use NTOpenProcess for stuff here
};
~procManager()
{
FreeLibrary(hNTDLL);
};
};
Problem is, apparently there is an error in my typedef above. The compiler returns:
error C2059: syntax error : '__stdcall'
I used the handy dandy "Go To Definition" feature of my IDE (Visual Studio 2008) and found that NTAPI in the declaration is defined as __stdcall.
Unfortunately, removing NTAPI from my declaration, making it this:
typedef NTSTATUS (*_NtOpenProcess) (
OUT PHANDLE,
IN ACCESS_MASK,
IN POBJECT_ATTRIBUTES,
IN PCLIENT_ID OPTIONAL);
results in another error:
error C2065: '_NtOpenProcess' : undeclared identifier
At this point I'm saying "Of course it's undefined, that's why it's a typedef!"
Does anyone see my error in the declaration?
A pointer is a variable whose value is the address of another variable or memory block, i.e., direct address of the memory location. Like any variable or constant, you must declare a pointer before using it to store any variable or block address.
Function Pointer Syntax It's as if you're declaring a function called "*foo", which takes an int and returns void; now, if *foo is a function, then foo must be a pointer to a function. (Similarly, a declaration like int *x can be read as *x is an int, so x must be a pointer to an int.)
In C, we can use function pointers to avoid code redundancy. For example a simple qsort() function can be used to sort arrays in ascending order or descending or by any other order in case of array of structures. Not only this, with function pointers and void pointers, it is possible to use qsort for any data type.
It is basically used to store the address of a function. We can call the function by using the function pointer, or we can also pass the pointer to another function as a parameter. They are mainly useful for event-driven applications, callbacks, and even for storing the functions in arrays.
Did you include "ntdef.h" and "ntstatus.h" ? The compiler probably cant understand NTSTATUS.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With