469,315 Members | 1,532 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,315 developers. It's quick & easy.

Interop Functions (NTDLL.DLL)

I'm writing an application that can disable and enable a given network
adapter (NIC) using C#. I realize that this can be handled using
netsh.exe, but I don't want to call a process for an external
executable if I don't have to. To do this, I can't figure out any way
save using an interop to call a function in ntdll.dll. The function
(NtUnloadDriver or ZwUnloadDriver) is not a documented function, but
doing a bit of searching you find the following:

NTSYSAPI NTSTATUS NTAPI NtUnloadDriver(IN PUNICODE_STRING
DriverServiceName);

I'm not completely sure what the three words in caps designate in the
beginning of that function, nor am I completely sure what a pUnicode
value type is. Suffice it to say, I don't believe my string contains
any unicode values within it. My C# implementation looks like this:

[DllImport("NTDLL.DLL",
EntryPoint="ZwUnloadDriver",
SetLastError=true,
CharSet=CharSet.Unicode,
ExactSpelling=true,
CallingConvention=CallingConvention.Winapi)]
private static extern int ZwUnloadDriver(string DriverServiceName);

From there, I simply created a public function to call the return from
the ZwUnloadDriver static. The problem is that I'm getting an obscure
error (-1073741773) that I have no idea what to do with. The
DriverServiceName variable is being defined from the command line:
"//registry//machine//SYSTEM//CurrentControlSet//Services//"

I read somewhere that the DriverServiceName needed to be in "system
format," but I'm only guessing from some examples I saw.

I've seen the NTDLL.DLL used in other interop functions with success,
so I know it's possible. It could be a security issue if I need to be
acquiring some privilege from kernel32.dll before talking to ntdll.dll,
but I'm not certain on that. Let me know what you think.
Nov 17 '05 #1
2 6674
nor am I completely sure what a pUnicode value type is.


It's a struct defined as

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;

which in this case can be translated to

[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
struct UNICODE_STRING
{
public ushort Length;
public ushort MaximumLength;
public string Buffer;
}

in C#. Then change the method signature to

private static extern int ZwUnloadDriver(ref UNICODE_STRING
DriverServiceName);

Mattias

--
Mattias Sjögren [MVP] mattias @ mvps.org
http://www.msjogren.net/dotnet/ | http://www.dotnetinterop.com
Please reply only to the newsgroup.
Nov 17 '05 #2

"Olaf" <ol******@checkfree.com.NOSPAM> wrote in message
news:Xn*********************************@207.46.24 8.16...
I'm writing an application that can disable and enable a given network
adapter (NIC) using C#. I realize that this can be handled using
netsh.exe, but I don't want to call a process for an external
executable if I don't have to. To do this, I can't figure out any way
save using an interop to call a function in ntdll.dll. The function
(NtUnloadDriver or ZwUnloadDriver) is not a documented function, but
doing a bit of searching you find the following:

NTSYSAPI NTSTATUS NTAPI NtUnloadDriver(IN PUNICODE_STRING
DriverServiceName);

I'm not completely sure what the three words in caps designate in the
beginning of that function, nor am I completely sure what a pUnicode
value type is. Suffice it to say, I don't believe my string contains
any unicode values within it. My C# implementation looks like this:

[DllImport("NTDLL.DLL",
EntryPoint="ZwUnloadDriver",
SetLastError=true,
CharSet=CharSet.Unicode,
ExactSpelling=true,
CallingConvention=CallingConvention.Winapi)]
private static extern int ZwUnloadDriver(string DriverServiceName);

From there, I simply created a public function to call the return from
the ZwUnloadDriver static. The problem is that I'm getting an obscure
error (-1073741773) that I have no idea what to do with. The
DriverServiceName variable is being defined from the command line:
"//registry//machine//SYSTEM//CurrentControlSet//Services//"

I read somewhere that the DriverServiceName needed to be in "system
format," but I'm only guessing from some examples I saw.

I've seen the NTDLL.DLL used in other interop functions with success,
so I know it's possible. It could be a security issue if I need to be
acquiring some privilege from kernel32.dll before talking to ntdll.dll,
but I'm not certain on that. Let me know what you think.


No need to call undocumented ntdll.dll functions, use System.Management
classes and call StopService on the WMI win32_SystemDriver class.

Willy.

Nov 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

6 posts views Thread by Sudha | last post: by
2 posts views Thread by Tim Peer | last post: by
1 post views Thread by ashutosh | last post: by
8 posts views Thread by Rob Edwards | last post: by
2 posts views Thread by Jas Manghera | last post: by
1 post views Thread by Don.Leri | last post: by
1 post views Thread by =?Utf-8?B?U2hhcm9u?= | last post: by
1 post views Thread by lawazia | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by harlem98 | last post: by
1 post views Thread by Geralt96 | last post: by
reply views Thread by harlem98 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.