LoadLibrary cannot find ntoskrnl


I am writing a small app which calls KeBugCheck and crashes the system but LoadLibrary is unable to find ntoskrnl.exe (I get 126 as return value when calling GetLastError)

Here is my code:

void* fnc;
bcLib = LoadLibrary((LPCWSTR)"ntoskrnl.exe");
fnc = (void*) GetProcAddress(bcLib, (LPCSTR)"KeBugCheck");
KeBugCheck = (int(*)(ULONG))fnc;

Also, in the debug window, I see this error:

First-chance exception at 0x00000000 in app.exe: 0xC0000005: Access violation executing location 0x00000000.

Any help will be very much appriciated

asked on Stack Overflow Aug 4, 2013 by noobprohacker

2 Answers


KeBugCheck is a kernel function. That means you can't call it from user-mode code, like the application you're trying to write.

There is also no user-mode wrapper provided for this function because user-mode code is not supposed to be able to bring down the entire system.

You will have to write your own kernel-mode driver to do this. To get started, download the Windows Driver Development Kit (DDK). And in that case, there will be no need for the whole LoadLibrary and GetProcAddress dance, since the function declaration is in the public Ntddk.h header and will be linked in automatically from the Ntoskrnl.lib file.

As for the problem you're having here, with LoadLibrary returning ERROR_MOD_NOT_FOUND, that is unrelated. The code you have is wrong, quite obvious from the explicit cast to LPCWSTR that you're having to perform in order to shut the compiler up.

You're compiling a Unicode application, so the call to LoadLibrary is automatically resolved to LoadLibraryW, which accepts a wide (Unicode) string with the type LPCWSTR. You're trying to pass it a narrow string literal, which generates a type mismatch error. Except that you've inserted the cast, which effectively tells the compiler to shut up because you know better than it. Except that you don't. You should listen to the compiler; it can save you from a lot of bugs.

The fix is simple: remove all the superfluous casts from your code and use a wide string literal instead. (The GetProcAddress function, however, is unique: it always requires a narrow string, regardless of whether or not you're compiling for Unicode.)

HMODULE bcLib = LoadLibrary(L"ntoskrnl.exe");
void* fnc = (void*)GetProcAddress(bcLib, "KeBugCheck");

Of course, once you fix this, you'll want to see the first part of my answer.

answered on Stack Overflow Aug 4, 2013 by Cody Gray • edited Sep 27, 2017 by Cody Gray

Try using the ntdll.dll NtRaiseHardError function. ntdll functions are the closest that you can get in user-mode to kernel-mode functions and NtRaiseHardError eventually calls KeBugCheck in the kernel.

answered on Stack Overflow Aug 5, 2019 by Mason Fuller

User contributions licensed under CC BY-SA 3.0