- When I was a system programmer, I hate so much to use the C, C++ runtime library because it's make users must be installed "Microsoft Visual C++ Redistributable Package" or I will need to ship with that dlls in my program, it's huge enough and make program slower. It's stupid because I known when they develop the OS they maybe have some stuff like C standard functions or at least something like that.
- So at that time I decided to go inside the OS and look at something I need. I reverse some dlls (ntdll.dll, ntoskrnl.exe) and see what's happening inside the OS. They have all the basic functions I need and the some C, C++ runtime actually call it.
- You can just look the export functions inside dlls and don't need to reverse it with command on cmd like this:
dumpbin /exports C:\Windows\System32\ntdll.dll
dumpbin /exports C:\Windows\System32\ntoskrnl.exe
- The only one thing we need to do is get the ntdll.lib and ntoskrnl.lib. Windows SDK for windows 7 doens't ship with both, you can download WDK 7.1 and use that library. On newer Windows SDK, it has ntdll.lib but not ntoskrnl.lib, so you can maybe install newer WDK for get that lib or it can be found on the internet without others stub(I guess).
- You can also found on the internet or github some header files used with the Windows SDK to exploited the Native(NT OS) power concurrently with the Win32 API.
- The last thing but I think it's most important thing when you use ntdll, ntoskrnl on the user space:
+ Always put ntdll.lib before ntoskrnl.lib in the libs list when you link objects, the ntoskrnl linked to ntoskrnl.exe and it has many privilege cannot run in user mode so you should make sure the program go to call ntdll.dll as many as possible but some stub is not in the ntdll so as I mentioned you need both lib files, example:
link $(LFLAGS) $(OBJECTS) ntdll.lib ntoskrnl.lib kernel32.lib user32.lib gdi32.lib opengl32.lib MyLibD.lib
+ On 64 bit, you can get whatever WDK versions you want and use it. BUT on the 32 bit program, you must download WDK 7.1 or below that versions and use exactly the ntoskrnl.lib for winxp:
if you don't use that lib your program will fall down privilege instruction only can be use in the kernel mode.
- Well, honestly my English is not good for write article. the NT OS has many interested things but I don't have enough time to talk to you all of that. So hope you enjoy and see later!