DriverLoader: Windows 8+: Try to load HAL.dll functions from ntoskrnl.exe first

src/driver/loader/fortdl_amalg.c

@@ -2,6 +2,7 @@
 
 #define FORT_AMALG
 #define FORT_DRIVER
+#define FORT_DEBUG
 
 #include "../fortutl.c"
 

src/driver/loader/fortmm.c

@@ -208,7 +208,7 @@ static NTSTATUS PerformBaseRelocation(
 
 /* Build the import address table: Library functions. */
 static NTSTATUS BuildImportTableLibrary(PUCHAR codeBase, const PIMAGE_IMPORT_DESCRIPTOR importDesc,
-        LPCSTR libName, LOADEDMODULE libModule)
+        LPCSTR libName, PLOADEDMODULE libModule, PLOADEDMODULE forwardModule)
 {
     NTSTATUS status = STATUS_SUCCESS;
 
@@ -228,8 +228,18 @@ static NTSTATUS BuildImportTableLibrary(PUCHAR codeBase, const PIMAGE_IMPORT_DES
             funcName = (LPCSTR) &thunkData->Name;
         }
 
-        *funcRef = ModuleGetProcAddress(&libModule, funcName);
-        if (*funcRef == 0) {
+        if (forwardModule != NULL) {
+            *funcRef = ModuleGetProcAddress(forwardModule, funcName);
+            if (*funcRef != NULL) {
+#ifdef FORT_DEBUG
+                LOG("Loader Module: Import forwarded: %s: %s: %p\n", libName, funcName, *funcRef);
+#endif
+                continue;
+            }
+        }
+
+        *funcRef = ModuleGetProcAddress(libModule, funcName);
+        if (*funcRef == NULL) {
             LOG("Loader Module: Error: Procedure Not Found: %s: %s\n", libName, funcName);
             status = STATUS_PROCEDURE_NOT_FOUND;
         } else {
@@ -258,6 +268,21 @@ static NTSTATUS BuildImportTable(PUCHAR codeBase, PIMAGE_NT_HEADERS pHeaders)
     if (!NT_SUCCESS(status))
         return status;
 
+#if defined(FORT_WIN7_COMPAT)
+    LOADEDMODULE kernelModule = { NULL };
+    {
+        RTL_OSVERSIONINFOW osvi;
+        RtlZeroMemory(&osvi, sizeof(osvi));
+        osvi.dwOSVersionInfoSize = sizeof(osvi);
+        RtlGetVersion(&osvi);
+        const BOOL isWindows7 = (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 1);
+
+        if (!isWindows7) {
+            GetModuleInfo(&kernelModule, "ntoskrnl.exe", modules, modulesCount);
+        }
+    }
+#endif
+
     status = STATUS_SUCCESS;
 
     PIMAGE_IMPORT_DESCRIPTOR importDesc =
@@ -273,7 +298,16 @@ static NTSTATUS BuildImportTable(PUCHAR codeBase, PIMAGE_NT_HEADERS pHeaders)
             break;
         }
 
-        status = BuildImportTableLibrary(codeBase, importDesc, libName, libModule);
+        PLOADEDMODULE forwardModule = NULL;
+#if defined(FORT_WIN7_COMPAT)
+        if (kernelModule.codeBase != NULL && _stricmp(libName, "hal.dll") == 0) {
+            /* Functions of HAL.dll are exported from kernel on Windows 8+ */
+            LOG("Loader Module: Forward to kernel: %s\n", libName);
+            forwardModule = &kernelModule;
+        }
+#endif
+
+        status = BuildImportTableLibrary(codeBase, importDesc, libName, &libModule, forwardModule);
         if (!NT_SUCCESS(status)) {
             LOG("Loader Module: Library Import Error: %s\n", libName);
             break;

src/driver/wdm/um_wdm.c

@@ -271,6 +271,12 @@ void RtlTimeToTimeFields(PLARGE_INTEGER time, PTIME_FIELDS timeFields)
     UNUSED(timeFields);
 }
 
+NTSTATUS RtlGetVersion(PRTL_OSVERSIONINFOW versionInformation)
+{
+    UNUSED(versionInformation);
+    return STATUS_SUCCESS;
+}
+
 NTSTATUS ZwOpenKey(
         PHANDLE keyHandle, ACCESS_MASK desiredAccess, POBJECT_ATTRIBUTES objectAttributes)
 {

src/driver/wdm/um_wdm.h

@@ -286,6 +286,8 @@ FORT_API void KeQuerySystemTime(PLARGE_INTEGER time);
 FORT_API void ExSystemTimeToLocalTime(PLARGE_INTEGER systemTime, PLARGE_INTEGER localTime);
 FORT_API void RtlTimeToTimeFields(PLARGE_INTEGER time, PTIME_FIELDS timeFields);
 
+FORT_API NTSTATUS RtlGetVersion(PRTL_OSVERSIONINFOW versionInformation);
+
 FORT_API NTSTATUS ZwOpenKey(
         PHANDLE keyHandle, ACCESS_MASK desiredAccess, POBJECT_ATTRIBUTES objectAttributes);
 FORT_API NTSTATUS ZwClose(HANDLE handle);