malloc,free,mbtow problem

Discussion in 'Windows Vista Drivers' started by Hasber, Apr 30, 2008.

  1. Hasber

    Hasber Guest

    i m working on file hooking
    i had applied two basic hooks i.e NTCreateFile and NtOpenFile
    i am almost finish but with very simple error and i am unable to resolve:

    i am allocating dynamic memory to char pointer i.e.
    char *cPtrDst ;
    cPtrDst = (char*)malloc(size);
    and deallocating it by free:

    and i am converting this array into wchar_t variable
    using :
    wchar_t dir[10];//suppose its an array
    result = mbtowc(dir,cPtrDst,size);

    when i compile the driver it gives error:
    error LNK2019: unresolved external symbol __imp__free referenced in function
    [email protected]

    unresolved external symbol __imp__malloc referenced in function
    [email protected]

    i had included stdlib.h

    but in vain.........
    any idea about error?
    Hasber, Apr 30, 2008
    1. Advertisements

  2. Hasber

    Don Burn Guest

    Well you are far from done for a lot of reasons. First you cannot use
    malloc, free or other user space calls in a kernel driver, so essentially
    all the code you have listed is not going to work in the kernel.

    But that is not the worst thing, you are hooking two calls that are easily
    intercepted by approved means. Hooking is extremely dangerous, and is
    blocked for 64-bit systems. Also, hooking drivers are flagged as MALWARE,
    so you have created something that is going to be looked at with disdain.

    Get the WDK, and some good books such as Walter Oney's "Programming the
    Windows Driver Model, Second Edition" and plan to take some time to
    understand the environment.

    Don Burn (MVP, Windows DDK)
    Windows 2k/XP/2k3 Filesystem and Driver Consulting
    Remove StopSpam to reply
    Don Burn, Apr 30, 2008
    1. Advertisements

  3. Hasber

    Hasber Guest

    I m happy that i got such a fast response
    well i am only working for windows XP
    whatever harmfull....the main thing is task which i have to accomplish
    ok if i cant allocate memory then can u tell me what to do for that.
    now do i have to use arrays.
    and whats about conversion of char data to wide character
    Hasber, Apr 30, 2008
  4. Hasber

    Don Burn Guest

    No, you can allocate memory and do conversion, but you have to use the
    correct API's not the c runtimes. What are you trying to do, and why do you
    insist on hooking? As you are obviously a newbie, the odds of your hooking
    without destroying the system are probably slim to none.

    Don Burn (MVP, Windows DDK)
    Windows 2k/XP/2k3 Filesystem and Driver Consulting
    Remove StopSpam to reply

    Don Burn, Apr 30, 2008
  5. Hasber

    Hasber Guest

    well mr don
    i am working on a project which will restrict the malicious movement of
    files across network or any physical media
    in which i will apply policy like "block delete access of txt files"
    "block copy paste access of pdf"
    to do so what i got is just hook the functions.
    i know now that i cant use it in vista.
    now do guide me what shud i adopt to work bcoz i have to rewrite things again.

    Hasber, Apr 30, 2008
  6. Hasber

    Don Burn Guest

    Go take a look at any of the samples in the WDK, there are calls here for
    doing allocates and free's (hint look under Ex*** calls) and for character
    conversions (under Rtl***). Really if you are asking these level of
    questions you need to step back and read a good book or take a course on
    Windows driver writing. You have a lot to learn, to even know the questions
    you should be asking. The effort you are attempting to do is one of the
    most complex problems in Windows, you will not see copies, you cannot easily
    know that someone is accessing file X then sending it to file Y. Start
    learning the basics, then go to http://www, join the NTFSD
    newgroup and ask these questions, but do not mention hooking there if you
    want help.

    Don Burn (MVP, Windows DDK)
    Windows 2k/XP/2k3 Filesystem and Driver Consulting
    Remove StopSpam to reply

    Don Burn, Apr 30, 2008
  7. The task is futile and is beoynd the traditional OS security model. The best
    approximation to that is using locked-down slim clients as pure browsers.
    Even then you nave no way of stopping your untrusted users from simply
    taking photographs of the screen.

    Alexander Grigoriev, May 1, 2008
  8. Go read the kernel documentation to get the knowledge about what is the
    kernel mode replacement for malloc().
    Maxim S. Shatskih, May 1, 2008
  9. Use FltMgr and the minifilter instead of hooking.

    Hooking is unstable by definition (especially if the hooker driver tries to
    unload) and is prohibited by self-repair mechanisms in Win64.

    Maxim Shatskih, Windows DDK MVP
    StorageCraft Corporation

    Maxim S. Shatskih, May 1, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.