Interop Functions (NTDLL.DLL)

  • Thread starter Thread starter Olaf
  • Start date Start date
O

Olaf

I'm writing an application that can disable and enable a given network
adapter (NIC) using C#. I realize that this can be handled using
netsh.exe, but I don't want to call a process for an external
executable if I don't have to. To do this, I can't figure out any way
save using an interop to call a function in ntdll.dll. The function
(NtUnloadDriver or ZwUnloadDriver) is not a documented function, but
doing a bit of searching you find the following:

NTSYSAPI NTSTATUS NTAPI NtUnloadDriver(IN PUNICODE_STRING
DriverServiceName);

I'm not completely sure what the three words in caps designate in the
beginning of that function, nor am I completely sure what a pUnicode
value type is. Suffice it to say, I don't believe my string contains
any unicode values within it. My C# implementation looks like this:

[DllImport("NTDLL.DLL",
EntryPoint="ZwUnloadDriver",
SetLastError=true,
CharSet=CharSet.Unicode,
ExactSpelling=true,
CallingConvention=CallingConvention.Winapi)]
private static extern int ZwUnloadDriver(string DriverServiceName);

From there, I simply created a public function to call the return from
the ZwUnloadDriver static. The problem is that I'm getting an obscure
error (-1073741773) that I have no idea what to do with. The
DriverServiceName variable is being defined from the command line:
"//registry//machine//SYSTEM//CurrentControlSet//Services//"

I read somewhere that the DriverServiceName needed to be in "system
format," but I'm only guessing from some examples I saw.

I've seen the NTDLL.DLL used in other interop functions with success,
so I know it's possible. It could be a security issue if I need to be
acquiring some privilege from kernel32.dll before talking to ntdll.dll,
but I'm not certain on that. Let me know what you think.
 
nor am I completely sure what a pUnicode value type is.

It's a struct defined as

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;

which in this case can be translated to

[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
struct UNICODE_STRING
{
public ushort Length;
public ushort MaximumLength;
public string Buffer;
}

in C#. Then change the method signature to

private static extern int ZwUnloadDriver(ref UNICODE_STRING
DriverServiceName);



Mattias
 
Olaf said:
I'm writing an application that can disable and enable a given network
adapter (NIC) using C#. I realize that this can be handled using
netsh.exe, but I don't want to call a process for an external
executable if I don't have to. To do this, I can't figure out any way
save using an interop to call a function in ntdll.dll. The function
(NtUnloadDriver or ZwUnloadDriver) is not a documented function, but
doing a bit of searching you find the following:

NTSYSAPI NTSTATUS NTAPI NtUnloadDriver(IN PUNICODE_STRING
DriverServiceName);

I'm not completely sure what the three words in caps designate in the
beginning of that function, nor am I completely sure what a pUnicode
value type is. Suffice it to say, I don't believe my string contains
any unicode values within it. My C# implementation looks like this:

[DllImport("NTDLL.DLL",
EntryPoint="ZwUnloadDriver",
SetLastError=true,
CharSet=CharSet.Unicode,
ExactSpelling=true,
CallingConvention=CallingConvention.Winapi)]
private static extern int ZwUnloadDriver(string DriverServiceName);

From there, I simply created a public function to call the return from
the ZwUnloadDriver static. The problem is that I'm getting an obscure
error (-1073741773) that I have no idea what to do with. The
DriverServiceName variable is being defined from the command line:
"//registry//machine//SYSTEM//CurrentControlSet//Services//"

I read somewhere that the DriverServiceName needed to be in "system
format," but I'm only guessing from some examples I saw.

I've seen the NTDLL.DLL used in other interop functions with success,
so I know it's possible. It could be a security issue if I need to be
acquiring some privilege from kernel32.dll before talking to ntdll.dll,
but I'm not certain on that. Let me know what you think.

No need to call undocumented ntdll.dll functions, use System.Management
classes and call StopService on the WMI win32_SystemDriver class.

Willy.
 
Back
Top