Not able to include ntifs.h in win32 project

Question

I tried to use the function called NTCreateFile. When I compiled it gave me an error saying "_NTCreateFile identifier not found". I inlcuded the header winternl.h. So next I tried to use ZwCreatFile, as per MSDN I included ntifs.h, but I am not able to include that header. It says "not able to open/find the directory". I am using V@2008. What is the problem? Am I missing anything?

EDIT1:

typedef NTSTATUS (*fp_CreatFile)(
    OUT PHANDLE FileHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN PLARGE_INTEGER AllocationSize OPTIONAL,
    IN ULONG FileAttributes,
    IN ULONG ShareAccess,
    IN ULONG CreateDisposition,
    IN ULONG CreateOptions,
    IN PVOID EaBuffer OPTIONAL,
    IN ULONG EaLength
    );
OBJECT_ATTRIBUTES myAttributes;

int _tmain(int argc, _TCHAR* argv[])
{
    fp_CreatFile myFunction;
    HMODULE module = LoadLibrary(L"ntdll.dll");
    if(NULL != module)
    {
        myFunction = (fp_CreatFile)GetProcAddress(module,"NtCreateFile");
    }

    UNICODE_STRING string;
    IO_STATUS_BLOCK fileStatus;
    string.Length = 56;
    string.Buffer = L"C:\\user\\kiddo\\Desktop\\7zFM.exe";
    string.MaximumLength = 56;

    HANDLE fileHandle;
    myAttributes.ObjectName = &string;
    myAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
    long mystatus = myFunction(&fileHandle,FILE_GENERIC_READ,&myAttributes ,&fileStatus,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,
        NULL,NULL,NULL,NULL);
    return 0;
}

When it tries to call that it gives the following error in a Message box. ERROR: Run-Time Check Failure #0 - The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.

Answer 1

If you read the MSDN documentation, the first paragraph says:

Note Before using this function, please read Calling Internal APIs.

Which says that: (I highlighted the important parts)

The Winternl.h header file exposes prototypes of internal Windows APIs. There is no associated import library, so developers must use run-time dynamic linking to call the functions described in this header file.

The functions and structures in Winternl.h are internal to the operating system and subject to change from one release of Windows to the next, and possibly even between service packs for each release. To maintain the compatibility of your application, you should use the equivalent public functions instead. Further information is available in the header file, Winternl.h, and the documentation for each function.

If you do use these functions, you can access them through run-time dynamic linking using LoadLibrary and GetProcAddress. This gives your code an opportunity to respond gracefully if the function has been changed or removed from the operating system. Signature changes, however, may not be detectable.

So you'll have to load the functions you want to use from NtDll.dll before being able to use them.

Here is a non-tested example code sample:

typedef NTSTATUS (__stdcall *NtCreateFile)(
    OUT PHANDLE FileHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN PLARGE_INTEGER AllocationSize OPTIONAL,
    IN ULONG FileAttributes,
    IN ULONG ShareAccess,
    IN ULONG CreateDisposition,
    IN ULONG CreateOptions,
    IN PVOID EaBuffer OPTIONAL,
    IN ULONG EaLength
    );

NtCreateFile _NtCreateFile = (NtCreateFile)GetProcAddress(GetModuleHandle("ntdll.dll"),"NtCreateFile");

// You can now use the function
_NtCreateFile(/* params */);

// Don't forget the release the resources

Answer 2

Several possibilities:

• You say the error message is "_NTCreateFile identifier not found". The name of the API is NtCreateFile() (note the lowercase 't'). It's possible that you're simply using the wrong name.

• ntifs.h and related link libraries are included in the Windows Driver Kit (WDK), which can be downloaded from here: http://www.microsoft.com/whdc/devtools/wdk/wdkpkg.mspx. You should be able to use the WDK to do what you want a bit more directly than using dynamic linking. but then you generally have to buy into a whole new build system or figure out how to integrate the headers and libraries into your current build.

• You can use the dynamic linking technique outlined by ereOn.

Answer 3

ZwCreateFile is part of the Windows Driver Kit, not the Windows SDK. You would need to install the driver kit. Some macros and types used by NTCreateFile also require WDK headers. That is clearly stated in the documentation on MSDN.