Undocumented Kernel APIs

0 Likes

Problem:

Is there informatio on these API's MmGetSystemRoutineAddress, MmGetPhysicalMemoryRanges, PoShutdownBugCheck and RtlInvertRangeList

Resolution:

Undocumented Win2K Kernel APIs

By Mark Russinovich, Systems Internals

The first is MmGetSystemRoutineAddress:

NTKERNELAPI

PVOID

MmGetSystemRoutineAddress (

IN PUNICODE_STRING SystemRoutineName

);

Its use is as straightforward as it looks. Pass in the name of a function that resides either in NTOSKRNL.EXE or HAL.DLL and you'll get back its entry-point address. Like GetProcAddress in user-space for Win32 applications, this function lets a driver dynamically ascertain the availability of an API.

If Microsoft adds new APIs to Win2K service packs (and I'm sure they will) drivers can be written to take advantage of the APIs, but also to either fail gracefully on older versions of Win2K or to run in a mode where they don't use the APIs. The key to a driver being able to do this is the ability to check for the presence of the APIs after loading. Without this functionality a driver has to statically link with functions it uses, and if the functions aren't present when the driver loads then the kernel loader reports an ugly error to the user and fails to load the driver.

The second API is MmGetPhysicalMemoryRanges.

NTKERNELAPI

PPHYSICAL_MEMORY_RANGE

MmGetPhysicalMemoryRanges (

VOID

);

Where PHYSICAL_MEMORY_RANGE is:

typedef struct _PHYSICAL_MEMORY_RANGE {

PHYSICAL_ADDRESS BaseAddress;

LARGE_INTEGER NumberOfBytes;

} PHYSICAL_MEMORY_RANGE, *PPHYSICAL_MEMORY_RANGE;

This function returns an array of PHYSICAL_MEMORY_RANGE entries with the end of the array marked by an entry that has 0 for both BaseAddress and NumberOfBytes. Like MmGetSystemRoutineAddress, it's a pretty simple API. It returns to you a description of all the physical memory that Win2K knows about. Win2K supports the addition and removal of memory on the fly with the MmAddPhysicalMemory and MmRemovePhysicalMemory APIs. That motivates the reason for the existence of an API that lets you query memory ranges. Both of these functions are also prototyped in ntddk.h.

PoShutdownBugCheck and RtlInvertRangeList are the other 2 Undocumented API's. PoShutdownBugCheck lets you crash the system and perform a power-related action like suspending. Ranges are generic start-end specifications that are user-defined and supported by a number of kernel APIs for managing, sorting, and iterating over them. The Win2K Plug-and-Play resource arbiters use them to track and organize hardware-resource requirements. Even though the range-list APIs are not documented, all their prototypes and structure definitions are included in ntddk.h, so you could presumably use the API to manage your own start-end oriented data.

Old KB# 11874
Comment List
Anonymous
Related Discussions
Recommended