0

I am trying to use NtQuerySystemInformation to list all the loaded modules. I am using the source code from http://www.rohitab.com/discuss/topic/40696-list-loaded-drivers-with-ntquerysysteminformation/ and it looks like this:

#include <stdio.h>
#include <Windows.h>
#include <winternl.h>

#pragma comment(lib,"ntdll.lib")

// These structures are copied from Process Hacker source code (ntldr.h)

typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
    HANDLE Section;
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES
{
    ULONG NumberOfModules;
    RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

int main()
{
    NTSTATUS status;
    ULONG i;

    PRTL_PROCESS_MODULES ModuleInfo;

    ModuleInfo=(PRTL_PROCESS_MODULES)VirtualAlloc(NULL,1024*1024,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); // Allocate memory for the module list

    if(!ModuleInfo)
    {
        printf("\nUnable to allocate memory for module list (%d)\n",GetLastError());
        return -1;
    }

    if(!NT_SUCCESS(status=NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,ModuleInfo,1024*1024,NULL))) // 11 = SystemModuleInformation
    {
        printf("\nError: Unable to query module list (%#x)\n",status);

        VirtualFree(ModuleInfo,0,MEM_RELEASE);
        return -1;
    }

    for(i=0;i<ModuleInfo->NumberOfModules;i++)
    {
        printf("\n*****************************************************\n");
        printf("\nImage base: %#x\n",ModuleInfo->Modules[i].ImageBase);
        printf("\nImage name: %s\n",ModuleInfo->Modules[i].FullPathName+ModuleInfo->Modules[i].OffsetToFileName);
        printf("\nImage full path: %s\n",ModuleInfo->Modules[i].FullPathName);
        printf("\nImage size: %d\n",ModuleInfo->Modules[i].ImageSize);
        printf("\n*****************************************************\n");
    }

    VirtualFree(ModuleInfo,0,MEM_RELEASE);
    return 0;
}

However, when I try to compile it with Dev C++, it gives me Undefined reference to `NtQuerySystemInformation@16'. When I ctrl+click the "#include winternl.h, it brings me to the winternl.h file which shows that NtQuerySystemInformation has already been defined as follows:

 NTSTATUS NTAPI NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);

I tried adding the flags -L and -lm to the linker options in Dev C++ but to no avail. Am i missing any steps?

Lew Wei Hao
  • 763
  • 1
  • 13
  • 25
  • Voting to reopen. I believe this particular problem is too narrow to answer on the proposed duplicate, which is for "common causes". – Harry Johnston Oct 03 '17 at 21:04
  • 2
    I'd have preferred to post this as an answer, but until such time (if ever) as the question is reopened --- this is explained in the documentation: "This function has no associated import library. You must use the LoadLibrary and GetProcAddress functions to dynamically link to Ntdll.dll." – Harry Johnston Oct 03 '17 at 21:08
  • I don't think it's a reopen candidate until the question shows the linker command used. A vague statement such as "*I tried adding the flags `-L` and `-lm` to the linker options*" isn't specific enough to reproduce the problem. And the sample code can be cut down *a lot* to become a [mcve]. – Toby Speight Oct 04 '17 at 12:03

0 Answers0