Cannot load any functions from PktmonApi.dll

Question

I am trying to interface with PktmonApi.dll from my application running on Windows 11. According to the docs, there is no header file containing function declarations, instead you need to dynamically load the DLL (using LoadLibrary) and then extract the function address (using GetProcAddress).

GetProcAddress is specified to return NULL when there was an error (and the error can then be retrieved using GetLastError()).

Here is a list of functions that are allegedly part of the API. I tried loading PacketMonitorInitialize, but it returned NULL, and the GetLastError() was 0x7f (indicating that the process was not found). After seeing this I used Dependency Walker to see what the PktmonApi.dll contains, and it contains a completely different set of functions

These functions are more in line with the possible commands for the PktMon application shipped with windows, but their usage is not documented anywhere as far as I can tell. I tried loading one of the functions in this DLL, and this time it returned 0x1 for the address and no error. 0x1 is obviously not a valid address and calling it just crashes the program.

You can run this to reproduce the problem:

#include <iostream>
#include <windows.h>
#include <iomanip>

int main() {
    HMODULE module = LoadLibrary(TEXT("PktmonApi.dll"));

    FARPROC start = GetProcAddress(module, "PktmonStart");
    std::cout << "PktmonStart=0x" << std::hex << std::setw(16) << std::setfill('0') << start << ", err=0x" << std::setw(8) << GetLastError() << std::endl;

    FARPROC init = GetProcAddress(module, "PacketMonitorInitialize");
    std::cout << "PacketMonitorInitialize=0x" << std::hex << std::setw(16) << std::setfill('0') << init << ", err=0x" << std::setw(8) << GetLastError() << std::endl;

    return 0;

}

For me this program outputs

PktmonStart=0x0000000000000001, err=0x00000000
PacketMonitorInitialize=0x0000000000000000, err=0x0000007f

I have already come to terms with the fact Microsoft just completely changed their Pktmon API without documenting it anywhere, but I don't understand why I get an address of 0x1 when loading a function that is evidently inside the DLL. What am I missing?

Answer 1

The solution is simple: You cannot print function pointers using the normal << syntax. They apparently get cast to bool before being printed. To properly print a function pointer, I need to reinterpret_cast it to void* beforehand.

As to why calling the function crashes: most likely because the provided arguments are incorrect, since I cannot find out what the function signature is supposed to be without Microsoft's documentation.

I corresponded with some people at Microsoft that were involved in writing this documentation, and the answer is that the current (September 2024) documentation documents SDK features that have not yet been deployed.