windowskernelprogrammingbook2e icon indicating copy to clipboard operation
windowskernelprogrammingbook2e copied to clipboard
verified publisher icon zodiacon

IoCreateSystemThread and ExAllocateFromPagedLookasideList are deprecated? [SC] StartService FAILED 127:The specified procedure could not be found

Open bludmaster6000 opened this issue 1 year ago • 3 comments

When i try to start the KMelody driver using sc start i get the error mentioned on the title, i have concluded that these two lines cause the error since when i comment them out i can start the service. After some googling i found out one of the reasons for this error: it occurs when the driver references functions that doesnt exist in the kernel's export table.

return IoCreateSystemThread(io_object, &member_thread_handle, THREAD_ALL_ACCESS, nullptr, NtCurrentProcess(), nullptr, play_melody, this); // IoObject is Driver or Device object

auto full_note = (FullNote*)ExAllocateFromPagedLookasideList(&member_lookaside);

The Project is built with Windows SDK Version: 10.0.22621.0 and Target OS Version "Windows 10 or higher" i tried to run the Driver using sc start on a VMWare virtual machine with the Windows version "Win10 22H2 Build 19045.3803"

How can i use the aforementioned functions namely IoCreateSystemThread and ExAllocateFromPagedLookasideList ? Or what are the alternatives i can use for both of these functions ?

bludmaster6000 avatar Sep 22 '24 01:09 bludmaster6000

The mentioned functions are not new: IoCreateSystemThread is Windows 8+, and ExAllocateFromPagedLookasideList is Windows 2000+. ExAllocateFromPagedLookasideList is now implemented inline. You can use the newer lookaside APIs available from Vista. I'll see if I can update the sample with recent a WDK.

zodiacon avatar Sep 22 '24 14:09 zodiacon

It's really strange because i tried using the newer lookaside api as well, the following line causes the error 127:

ExFreeToLookasideListEx(&member_lookaside, note);

All the other newer lookaside functions such as "ExInitializeLookasideListEx, ExDeleteLookasideListEx, ExAllocateFromLookasideListEx" work as intended and i can load the driver without commenting these 3 functions, what i dont understand is why does the driver refuse to load and pop a "StartService FAILED 127" error when i try to use the "ExFreeToLookasideListEx" function.

bludmaster6000 avatar Sep 22 '24 16:09 bludmaster6000

IN later versions of the WDK, this function is implemented inline (rather than bound to exported function). Look at wdm.h:

#if (NTDDI_VERSION >= NTDDI_WIN10_NI)

__drv_allocatesMem(Mem)
_Must_inspect_result_
_IRQL_requires_max_(DISPATCH_LEVEL)
NTKERNELAPI
PVOID
ExAllocateFromLookasideListEx (
    _Inout_ PLOOKASIDE_LIST_EX Lookaside
    );

_IRQL_requires_max_(DISPATCH_LEVEL)
NTKERNELAPI
VOID
ExFreeToLookasideListEx (
    _Inout_ PLOOKASIDE_LIST_EX Lookaside,
    _In_ __drv_freesMem(Entry) PVOID Entry
    );

#else

ExAllocateFromLookasideListEx (
    _Inout_ PLOOKASIDE_LIST_EX Lookaside
    )
{

    PVOID Entry;

    Lookaside->L.TotalAllocates += 1;
    Entry = InterlockedPopEntrySList(&Lookaside->L.ListHead);
    if (Entry == NULL) {
        Lookaside->L.AllocateMisses += 1;
        Entry = (Lookaside->L.AllocateEx)(Lookaside->L.Type,
                                          Lookaside->L.Size,
                                          Lookaside->L.Tag,
                                          Lookaside);
    }

    return Entry;
}

zodiacon avatar Sep 23 '24 00:09 zodiacon