NTDLL.dll3 : Export Function

最新推荐文章于 2024-03-04 11:09:09 发布
最新推荐文章于 2024-03-04 11:09:09 发布
阅读量2k 收藏 1
点赞数
分类专栏: NT-Kernel

2004  Loader APIs 

API
 NTDLL APIs
LoadResource
 LdrAccessResource
LdrAlternateResourcesEnabled
DisableThreadLibraryCalls
 LdrDisableThreadCalloutsForDll
LdrEnumResources
LdrFindAppCompatVariableInfo
LdrFindEntryForAddress
EnumResourceTypesW
 LdrFindResourceDirectory_U
FindResourceExA
 LdrFindResource_U
LdrFlushAlternateResourceModules
LdrGetAlternateResourceModuleHandle
GetModuleHandleForUnicodeString
 LdrGetDllHandle
GetProcAddress
 LdrGetProcedureAddress
LdrInitializeThunk
LoadLibraryEx (LOAD_LIBRARY_AS_DATAFILE)
 LdrLoadAlternateResourceModule
LoadLibrary
 LdrLoadDll
LdrProcessRelocationBlock
LdrQueryApplicationCompatibilityGoo
LdrQueryImageFileExecutionOptions
LdrQueryProcessModuleInformation
LdrRelocateImage
ExitProcess
 LdrShutdownProcess
ExitThread
 LdrShutdownThread
LdrUnloadAlternateResourceModule
FreeLibrary
 LdrUnloadDll
LdrVerifyImageMatchesChecksum
LdrVerifyMappedImageMatchesChecksum
Figure 2 Private Loader APIs 
LdrpAccessResourceData
LdrpAllocateDataTableEntry
LdrpAllocateTls
LdrpCallInitRoutine
LdrpCallTlsInitializers
LdrpCheckForKnownDll
LdrpCheckForLoadedDll
LdrpCheckForLoadedDllHandle
LdrpClearLoadInProgress
LdrpCompareResourceNames_U
LdrpCreateDllSection
LdrpDefineDllTag
LdrpDllTagProcedures
LdrpDphDetectSnapRoutines
LdrpDphInitializeTargetDll
LdrpDphSnapImports
LdrpFetchAddressOfEntryPoint
LdrpForkProcess
LdrpFreeTls
LdrpGetProcedureAddress
LdrpInitializationFailure
LdrpInitialize
LdrpInitializeProcess
LdrpInitializeThread
LdrpInitializeTls
LdrpInsertMemoryTableEntry
LdrpLoadDll
LdrpLoadImportModule
LdrpMapDll
LdrpNameToOrdinal
LdrpRelocateStartContext
LdrpResolveDllName
LdrpRunInitializeRoutines
LdrpSearchResourceSection_U
LdrpSetAlternateResourceModuleHandle
LdrpSetProtection
LdrpSnapIAT
LdrpSnapThunk
LdrpTagAllocateHeap0...LdrpTagAllocateHeap63
LdrpTagAllocateHeap
LdrpUpdateLoadCount
LdrpValidateImageForMp
LdrpWalkImportDescriptor
Figure 3 Internal Loader Routines 
#1 - LoadLibraryExW 3rd parameter is 0:
LdrLoadDll (0x77f889a9)
    LdrpLoadDll 0x77f887e0
        LdrpCheckForLoadedDll (0x77f87122)
        LdrpMapDll (0x77f8bc77)
            LdrpCheckForKnownDll (0x77f8c62b)
            LdrpResolveDllName (0x77f8c3df)
            LdrpCreateDllSection (0x77f8c355)
            LdrpAllocateDataTableEntry (0x77f8be69)
            LdrpFetchAddressOfEntryPoint (0x77f8bf23)
            LdrpInsertMemoryTableEntry (0x77f8bebb)
        LdrpWalkImportDescriptor (0x77f8be15)
            LdrpLoadImportModule (0x77f8bfd1)
                *LdrpCheckForLoadedDll
            LdrpSnapIAT (0x77f8c047)
                LdrpSnapThunk (0x77f87bd1)
                    LdrpNameToOrdinal (0x77f87cf0)
                    **LdrpLoadDll
                    LdrpGetProcedureAddress (0x77f87a20)
                        LdrpCheckforLoadedDllHandle (0x77f870cc)
                        **LdrpSnapThunk
        LdrpUpdateLoadCount (0x77f88afa)
            *LdrpCheckForLoadedDll
            **LdrpUpdateLoadCount
        LdrpRunInitializeRoutines (0x77f8bcb8)
        LdrpClearLoadInProgress (0x77f88c12)

#2 - LoadLibraryExW 3rd parameter is 0 and DLL has been bound:
LdrLoadDll (0x77f889a9)
    LdrpLoadDll 0x77f887e0
        LdrpCheckForLoadedDll (0x77f87122)
        LdrpMapDll (0x77f8bc77)
            LdrpCheckForKnownDll (0x77f8c62b)
            LdrpResolveDllName (0x77f8c3df)
            LdrpCreateDllSection (0x77f8c355)
            LdrpAllocateDataTableEntry (0x77f8be69)
            LdrpFetchAddressOfEntryPoint (0x77f8bf23)
            LdrpInsertMemoryTableEntry (0x77f8bebb)
        LdrpWalkImportDescriptor (0x77f8be15)
            LdrpLoadImportModule (0x77f8bfd1)
                *LdrpCheckForLoadedDll
        LdrpUpdateLoadCount (0x77f88afa)
            *LdrpCheckForLoadedDll
            **LdrpUpdateLoadCount
        LdrpRunInitializeRoutines (0x77f8bcb8)
        LdrpClearLoadInProgress (0x77f88c12)

#3 - LoadLibraryExW 3rd Parameter is DONT_RESOLVE_DLL_REFERENCES:
LdrLoadDll (0x77f889a9)
    LdrpLoadDll 0x77f887e0
        LdrpCheckForLoadedDll (0x77f87122)
        LdrpMapDll (0x77f8bc77)
            LdrpCheckForKnownDll (0x77f8c62b)
            LdrpResolveDllName (0x77f8c3df)
            LdrpCreateDllSection (0x77f8c355)
            LdrpAllocateDataTableEntry (0x77f8be69)
            LdrpFetchAddressOfEntryPoint (0x77f8bf23)
            LdrpInsertMemoryTableEntry (0x77f8bebb)

#4 - LoadLibraryExW 3rd Parameter is LOAD_WITH_ALTERED_SEARCH_PATH:
LdrLoadDll (0x77f889a9)
    LdrpLoadDll 0x77f887e0
        LdrpCheckForLoadedDll (0x77f87122)
        LdrpMapDll (0x77f8bc77)
            LdrpCheckForKnownDll (0x77f8c62b)
            LdrpResolveDllName (0x77f8c3df)
            LdrpCreateDllSection (0x77f8c355)
            LdrpAllocateDataTableEntry (0x77f8be69)
            LdrpFetchAddressOfEntryPoint (0x77f8bf23)
            LdrpInsertMemoryTableEntry (0x77f8bebb)
        LdrpWalkImportDescriptor (0x77f8be15)
            LdrpLoadImportModule (0x77f8bfd1)
                *LdrpCheckForLoadedDll
        LdrpUpdateLoadCount (0x77f88afa)
            *LdrpCheckForLoadedDll
            **LdrpUpdateLoadCount
        LdrpRunInitializeRoutines (0x77f8bcb8)
        LdrpClearLoadInProgress (0x77f88c12)

#5 - LoadLibraryExW 3rd Parameter is LOAD_LIBRARY_AS_DATAFILE:
LdrpCheckForLoadedDll (0x77f87122)

All addresses based upon Windows 2000 Professional (Build 2195: Service Pack 1)
* previously documented
** recursive call
Figure 4 APIs Forwarded to NTDLL 

API
 Destination
DeleteCriticalSection
 Forwarded to NTDLL.RtlDeleteCriticalSection
EnterCriticalSection
 Forwarded to NTDLL.RtlEnterCriticalSection
HeapAlloc
 Forwarded to NTDLL.RtlAllocateHeap
HeapFree
 Forwarded to NTDLL.RtlFreeHeap
HeapReAlloc
 Forwarded to NTDLL.RtlReAllocateHeap
HeapSize
 Forwarded to NTDLL.RtlSizeHeap
LeaveCriticalSection
 Forwarded to NTDLL.RtlLeaveCriticalSection
RtlFillMemory
 Forwarded to NTDLL.RtlFillMemory
RtlMoveMemory
 Forwarded to NTDLL.RtlMoveMemory
RtlUnwind
 Forwarded to NTDLL.RtlUnwind
RtlZeroMemory
 Forwarded to NTDLL.RtlZeroMemory
SetCriticalSectionSpinCount
 Forwarded to NTDLL.RtlSetCriticalSection- SpinCount
TryEnterCriticalSection
 Forwarded to NTDLL.RtlTryEnterCriticalSection
VerSetConditionMask
 Forwarded to NTDLL.VerSetConditionMask
Figure 5 Binding via LdrpSnapIAT and LdrpSnapThunk for Forwarded.DLL 
              IAT         IAT    
  Address     File       Memory  API Name (* - Forwarded APIs)
  1200B000  0000C314 => 77E851E1 HeapCreate
* 1200B004  0000C322 => 77FCA535 HeapFree (RtlFreeHeap)
  1200B008  0000C0AA => 77E8F07F GetCommandLineA
  1200B00C  0000C0BC => 77E85C77 GetVersion
  1200B010  0000C0CA => 77EA83DE DbgBreakPoint
  1200B014  0000C0D8 => 77E8F043 GetStdHandle
  1200B018  0000C0E8 => 77E8334F WriteFile
  1200B01C  0000C0F4 => 77E82EF1 InterlockedDecrement
  1200B020  0000C10C => 77E9E0C8 OutputDebugStringA
  1200B024  0000C122 => 77E87031 GetProcAddress
  1200B028  0000C134 => 77E87273 LoadLibraryA
  1200B02C  0000C144 => 77E82EE0 InterlockedIncrement
  1200B030  0000C15C => 77E88885 GetModuleFileNameA
  1200B034  0000C172 => 77E8F32D ExitProcess
  1200B038  0000C180 => 77EB45FF TerminateProcess
  1200B03C  0000C194 => 77E8304F GetCurrentProcess
  1200B040  0000C1A8 => 77E83510 GetCurrentThreadId
  1200B044  0000C1BE => 77E836DD TlsSetValue
  1200B048  0000C1CC => 77E8C512 TlsAlloc
  1200B04C  0000C1D8 => 77E8F254 TlsFree
  1200B050  0000C1E2 => 77E83008 SetLastError
  1200B054  0000C1F2 => 77E83025 TlsGetValue
  1200B058  0000C200 => 77E8301B GetLastError
  1200B05C  0000C210 => 77E831E7 SetHandleCount
  1200B060  0000C222 => 77E84C93 GetFileType
  1200B064  0000C230 => 77E8F10A GetStartupInfoA
* 1200B068  0000C242 => 77F837C4 DeleteCriticalSection (RtlDeleteCriticalSection)
  1200B06C  0000C25A => 77E83A61 IsBadWritePtr
  1200B070  0000C26A => 77E84F4F IsBadReadPtr
  1200B074  0000C27A => 77E8BC6C HeapValidate
  1200B078  0000C28A => 77E82116 FreeEnvironmentStringsA
  1200B07C  0000C2A4 => 77E8F085 FreeEnvironmentStringsW
  1200B080  0000C2BE => 77E8593F WideCharToMultiByte
  1200B084  0000C2D4 => 77E9C60D GetEnvironmentStrings
  1200B088  0000C2EC => 77E8324E GetEnvironmentStringsW
  1200B08C  0000C306 => 77E8523C HeapDestroy
  1200B090  0000C41E => 77E841B6 LCMapStringW
  1200B094  0000C40E => 77E95278 LCMapStringA
  1200B098  0000C32E => 77E85194 VirtualFree
  1200B09C  0000C33C => 77E83833 InitializeCriticalSection
* 1200B0A0  0000C358 => 77F81B42 EnterCriticalSection (RtlEnterCriticalSection)
* 1200B0A4  0000C370 => 77F81B73 LeaveCriticalSection (RtlLeaveCriticalSection)
* 1200B0A8  0000C388 => 77FCA055 HeapAlloc (RtlAllocateHeap)
* 1200B0AC  0000C394 => 77F85B48 HeapReAlloc (RtlReAllocateHeap)
  1200B0B0  0000C3A2 => 77E850EC VirtualAlloc
  1200B0B4  0000C3B2 => 77E8EFB8 GetCPInfo
  1200B0B8  0000C3BE => 77E83852 GetACP
  1200B0BC  0000C3C8 => 77E8724D GetOEMCP
  1200B0C0  0000C3D4 => 77E84035 MultiByteToWideChar
  1200B0C4  0000C3EA => 77E9740C GetStringTypeA
  1200B0C8  0000C3FC => 77E867D4 GetStringTypeW
  1200B0CC  0000C42E => 77E853E8 SetFilePointer
* 1200B0D0  0000C440 => 77F8E13A RtlUnwind (RtlUnwind)
  1200B0D4  0000C44C => 77E8F3BC SetStdHandle
  1200B0D8  0000C45C => 77E863C1 FlushFileBuffers
  1200B0DC  0000C470 => 77E83053 CloseHandle
  1200B0E0  00000000    00000000
  1200B0E4  0000C090 => 77E1F098 MessageBoxW
  1200B0E8  00000000    00000000

**********************************************************************************
LdrSnap Display (Note the displays of forwarded APIs):

LDR: LdrLoadDll, loading Forwarder.DLL from 
     E:\PROJECTS\TEMP\Test\debug;.;D:\WINNT\System32;D:\WINNT\system;D:\WINNT;...
LDR: Loading (DYNAMIC) E:\PROJECTS\TEMP\Test\debug\Forwarder.DLL
LDR: KERNEL32.dll used by Forwarder.DLL
LDR: Snapping imports for Forwarder.DLL from KERNEL32.dll
LDR: LdrLoadDll, loading NTDLL.dll from 
LDR: LdrGetProcedureAddress by NAME - RtlEnterCriticalSection
LDR: LdrLoadDll, loading NTDLL.dll from 
LDR: LdrGetProcedureAddress by NAME - RtlDeleteCriticalSection
LDR: LdrLoadDll, loading NTDLL.dll from 
LDR: LdrGetProcedureAddress by NAME - RtlFreeHeap
LDR: LdrLoadDll, loading NTDLL.dll from 
LDR: LdrGetProcedureAddress by NAME - RtlLeaveCriticalSection
LDR: LdrLoadDll, loading NTDLL.dll from 
LDR: LdrGetProcedureAddress by NAME - RtlAllocateHeap
LDR: LdrLoadDll, loading NTDLL.dll from 
LDR: LdrGetProcedureAddress by NAME - RtlReAllocateHeap
LDR: LdrLoadDll, loading NTDLL.dll from 
LDR: LdrGetProcedureAddress by NAME - RtlUnwind
LDR: Real INIT LIST
     E:\PROJECTS\TEMP\Test\debug\Forwarder.DLL init routine 110010e9
LDR: Forwarder.DLL loaded. - Calling init routine at 110010e9
Figure 6 Pre-binding using SDK Bind 
              IAT
             File &
  Address    Memory  API Name (* - Forwarded APIs)
  10004000  77E851E1 HeapCreate
  10004004  77E85C77 GetVersion
  10004008  77E8F32D ExitProcess
  1000400C  77EB45FF TerminateProcess
  10004010  77E8304F GetCurrentProcess
  10004014  77E83510 GetCurrentThreadId
  10004018  77E836DD TlsSetValue
  1000401C  77E8C512 TlsAlloc
  10004020  77E8F254 TlsFree
  10004024  77E83025 TlsGetValue
  10004028  77E831E7 SetHandleCount
  1000402C  77E8F043 GetStdHandle
  10004030  77E84C93 GetFileType
  10004034  77E8F10A GetStartupInfoA
* 10004038  77F837C4 DeleteCriticalSection (RtlDeleteCriticalSection)
  1000403C  77E88885 GetModuleFileNameA
  10004040  77E82116 FreeEnvironmentStringsA
  10004044  77E8F085 FreeEnvironmentStringsW
  10004048  77E8593F WideCharToMultibyte
  1000404C  77E9C60D GetEnvironmentStrings
  10004050  77E8324E GetEnvironmentStringsW
  10004054  77E8523C HeapDestroy
  10004058  77E8F07F GetCommandLineA
  1000405C  77E85194 VirtualFree
* 10004060  77FCA535 HeapFree (RtlFreeHeap)
  10004064  77E8334F WriteFile
  10004068  77E83833 InitializeCriticalSection
* 1000406C  77F81B42 EnterCriticalSection (RtlEnterCriticalSection)
* 10004070  77F81B73 LeaveCriticalSection (RtlLeaveCriticalSection)
* 10004074  77FCA055 HeapAlloc (RtlAllocateHeap)
  10004078  77E8EFB8 GetCPInfo
  1000407C  77E83852 GetACP
  10004080  77E8724D GetOEMCP
  10004084  77E850EC VirtualAlloc
* 10004088  77F85B48 HeapReAlloc (RtlReAllocateHeap)
  1000408C  77E87031 GetProcAddress
  10004090  77E87273 LoadLibraryA
  10004094  77E84035 MultiByteToWideChar
  10004098  77E95278 LCMapStringA
  1000409C  77E841B6 LCMapStringW
  100040A0  77E9740C GetStringTypeA
  100040A4  77E867D4 GetStringTypeW
* 100040A8  77F8E13A RtlUnwind (RtlUnwind)

**********************************************************************************
LdrSnap Display (Note there are no displays of forwarded APIs):

LDR: LdrLoadDll, loading TestDll.DLL from 
     E:\PROJECTS\TEMP\Test\debug;.;D:\WINNT\System32;D:\WINNT\system;D:\WINNT;...
LDR: Loading (DYNAMIC) E:\PROJECTS\TEMP\Test\debug\TestDll.DLL
LDR: TestDll.DLL bound to KERNEL32.dll
LDR: TestDll.DLL has correct binding to KERNEL32.dll
LDR: TestDll.DLL bound to NTDLL.DLL via forwarder(s) from KERNEL32.dll
LDR: TestDll.DLL has correct binding to NTDLL.DLL
LDR: Real INIT LIST
     E:\PROJECTS\TEMP\Test\debug\TestDll.DLL init routine 10001109
LDR: TestDll.DLL loaded. - Calling init routine at 10001109


打开NTDLL.dll,惊奇的发现原来CRT的许多基本函数居然都是在这里实现的!甚至包括qsort,ceil这样的函数,还有臭名昭著的strcpy(严格来讲,这只能怪使用者不当心)。堆的释放,进城管理,似乎都是在这。于是,我决定,仔细察看以下它,这1410个函数是做什么的


用户模式的代码在调用系统内核函数的时候,首先把一个叫做system call number的数放在EAX中,把参数放在其它的寄存器中了。然后调用INT 2E中断。但是大部分应用程序并不需要直接这么做。通常都是在调用kernel32.dll等时由他们来调用INT 2E.

内核模式的代码,做法稍微有点不同。他们通常调用由NTOSKRNL.EXE导出的NTDLL.dll中Zw开头的那一系列函数,比如ZwWaitForSingleObject, 反之,如果是用户级代码需要调用内核,就会利用INT 2E调用WaitForSingleObject.对于许多函数的批量调用,你会明显发现 Zw族要比Rtl族效率高很多。

可惜ntdll.dll中的大部分函数都是undocumented.
对于一部分得知其定义形式的函数,可以这样调用:
1.先将NTDLL.DLL读入 LoadLibrary(TEXT("NTDLL.dll")) 
2.利用GetProcAddress 获取其函数入口地址
3.利用得到的函数指针调用

但是可以大致的分为几类吧
1 PropertyLengthAsVariant 它被排在了第一号,但是我就是不明白它是做什么的
2 Csr(configuration status register? Command and Status Register?)系列 
CsrAllocateCaptureBuffer CsrAllocateMessagePointer CsrCaptureMessageBuffer CsrCaptureMessageMultiUnicodeStringsInPlace CsrCaptureMessageString CsrCaptureTimeout CsrClientCallServer CsrClientConnectToServer CsrFreeCaptureBuffer CsrGetProcessId CsrIdentifyAlertableThread CsrNewThread CsrProbeForRead CsrProbeForWrite CsrSetPriorityClass

3 Dbg系列 调试函数
DbgBreakPoint DbgPrint DbgPrintEx DbgPrintReturnControlC DbgPrompt DbgQueryDebugFilterState DbgSetDebugFilterState DbgUiConnectToDbg DbgUiContinue DbgUiConvertStateChangeStructure DbgUiDebugActiveProcess DbgUiGetThreadDebugObject DbgUiIssueRemoteBreakin DbgUiRemoteBreakin DbgUiSetThreadDebugObject DbgUiStopDebugging DbgUiWaitStateChange DbgUserBreakPoint

4 ki系列
KiRaiseUserExceptionDispatcher
KiUserApcDispatcher
KiUserCallbackDispatcher
KiUserExceptionDispatcher

5 Ldr系列 Loader APIs,共34个
API
NTDLL APIs
LoadResource
LdrAccessResource
LdrAlternateResourcesEnabled
DisableThreadLibraryCalls
LdrDisableThreadCalloutsForDll
LdrEnumResources
LdrFindAppCompatVariableInfo
LdrFindEntryForAddress
EnumResourceTypesW
LdrFindResourceDirectory_U
FindResourceExA
LdrFindResource_U
LdrFlushAlternateResourceModules
LdrGetAlternateResourceModuleHandle
GetModuleHandleForUnicodeString
LdrGetDllHandle
GetProcAddress
LdrGetProcedureAddress
LdrInitializeThunk
LoadLibraryEx (LOAD_LIBRARY_AS_DATAFILE)
LdrLoadAlternateResourceModule
LoadLibrary
LdrLoadDll
LdrProcessRelocationBlock
LdrQueryApplicationCompatibilityGoo
LdrQueryImageFileExecutionOptions
LdrQueryProcessModuleInformation
LdrRelocateImage
ExitProcess
LdrShutdownProcess
ExitThread
LdrShutdownThread
LdrUnloadAlternateResourceModule
FreeLibrary
LdrUnloadDll
LdrVerifyImageMatchesChecksum
LdrVerifyMappedImageMatchesChecksum

6 Nls(National Language Support)系列 代码页管理 
NlsAnsiCodePage
NlsMbCodePageTag
NlsMbOemCodePageTag

7 Nt系列 共285个,大部分都是kernel32.dll,user32.dll等的核心实现
NtCreateFile, NtOpenFile, NtClose, NtWaitForSingleObject 是kernel32.dll中许多用户级代码的核心实现。
NTSTATUS NtClose( HANDLE Handle);
竟然是CloseHandle 的原身!唯一的缺点是该函数并没有导出库,如果要调用,就必须使用GetProcAddress 来获得其函数指针然后调用。
NtCreateFile 可以说是DDK的核心
RtlUnwind initiates an unwind of procedure call frames 
结构化异常(Structured Exception Handling, SEH )的 核心。
NTSTATUS NtWaitForSingleObject( HANDLE Handle, BOOLEAN Alertable, PLARGE_INTEGER Timeout);
Waits until the specified object attains a state of signaled

8 pfx 不明白
PfxFindPrefix
PfxInitialize
PfxInsertPrefix
PfxRemovePrefix

9 RestoreEm87Context SaveEm87Context

10 rtl系列 共506个。我想,rtl应该是runtime library的缩写吧。一个很庞大的函数族,里面包含像 RtlCreateUserProcess 这样的一些很基本的函数,通常供内核模式的driver等调用
下面是一部分示例
APIs Forwarded to NTDLL
API
Destination
DeleteCriticalSection
Forwarded to NTDLL.RtlDeleteCriticalSection
EnterCriticalSection
Forwarded to NTDLL.RtlEnterCriticalSection
HeapAlloc
Forwarded to NTDLL.RtlAllocateHeap
HeapFree
Forwarded to NTDLL.RtlFreeHeap
HeapReAlloc
Forwarded to NTDLL.RtlReAllocateHeap
HeapSize
Forwarded to NTDLL.RtlSizeHeap
LeaveCriticalSection
Forwarded to NTDLL.RtlLeaveCriticalSection
RtlFillMemory
Forwarded to NTDLL.RtlFillMemory
RtlMoveMemory
Forwarded to NTDLL.RtlMoveMemory
RtlUnwind
Forwarded to NTDLL.RtlUnwind
RtlZeroMemory
Forwarded to NTDLL.RtlZeroMemory
SetCriticalSectionSpinCount
Forwarded to NTDLL.RtlSetCriticalSection- SpinCount
TryEnterCriticalSection
Forwarded to NTDLL.RtlTryEnterCriticalSection
VerSetConditionMask
Forwarded to NTDLL.VerSetConditionMask

11 VerSetConditionMask 用于确认系统信息
The VerSetConditionMask function sets the bits of a 64-bit value to indicate the comparison operator to use for a specified operating system version attribute. This function is used to build the dwlConditionMask parameter of the VerifyVersionInfo function.

12 Zw系列 共284个。前面已经说过,为可执行性系统服务提供内核模式的入口, 为NTOSKRNL.EXE 提供实现。由于是内核模式,所以在执行的时候并不检查用户是否有执行权限


13 内部函数 共116个。具体作用不明,很底层的东西。无法查到任何相关资料。无法得知与其相关的任何信息。
_CIcos _CIlog _CIpow _CIsin _CIsqrt __eCommonExceptions __eEmulatorInit __eF2XM1 __eFABS __eFADD32 __eFADD64 __eFADDPreg __eFADDreg __eFADDtop __eFCHS __eFCOM __eFCOM32 __eFCOM64 __eFCOMP __eFCOMP32 __eFCOMP64 __eFCOMPP __eFCOS __eFDECSTP __eFDIV32 __eFDIV64 __eFDIVPreg __eFDIVR32 __eFDIVR64 __eFDIVRPreg __eFDIVRreg __eFDIVRtop __eFDIVreg __eFDIVtop __eFFREE __eFIADD16 __eFIADD32 __eFICOM16 __eFICOM32 __eFICOMP16 __eFICOMP32 __eFIDIV16 __eFIDIV32 __eFIDIVR16 __eFIDIVR32 __eFILD16 __eFILD32 __eFILD64 __eFIMUL16 __eFIMUL32 __eFINCSTP __eFINIT __eFIST16 __eFIST32 __eFISTP16 __eFISTP32 __eFISTP64 __eFISUB16 __eFISUB32 __eFISUBR16 __eFISUBR32 __eFLD1 __eFLD32 __eFLD64 __eFLD80 __eFLDCW __eFLDENV __eFLDL2E __eFLDLN2 __eFLDPI __eFLDZ __eFMUL32 __eFMUL64 __eFMULPreg __eFMULreg __eFMULtop __eFPATAN __eFPREM __eFPREM1 __eFPTAN __eFRNDINT __eFRSTOR __eFSAVE __eFSCALE __eFSIN __eFSQRT __eFST __eFST32 __eFST64 __eFSTCW __eFSTENV __eFSTP __eFSTP32 __eFSTP64 __eFSTP80 __eFSTSW __eFSUB32 __eFSUB64 __eFSUBPreg __eFSUBR32 __eFSUBR64 __eFSUBRPreg __eFSUBRreg __eFSUBRtop __eFSUBreg __eFSUBtop __eFTST __eFUCOM __eFUCOMP __eFUCOMPP __eFXAM __eFXCH __eFXTRACT __eFYL2X __eFYL2XP1 __eGetStatusWord 

14 一些CRT的基本函数 共131个 主要是字符串管理,还有些基本的数学函数
__isascii __iscsym __iscsymf __toascii _alldiv _alldvrm _allmul _alloca_probe _allrem _allshl _allshr _atoi64 _aulldiv _aulldvrm _aullrem _aullshr _chkstk _fltused _ftol _i64toa _i64tow _itoa _itow _lfind _ltoa _ltow _memccpy _memicmp _snprintf _snwprintf _splitpath _strcmpi _stricmp _strlwr _strnicmp _strupr _tolower _toupper _ui64toa _ui64tow _ultoa _ultow _vsnprintf _vsnwprintf _wcsicmp _wcslwr _wcsnicmp _wcsupr _wtoi _wtoi64 _wtol abs atan atoi atol bsearch ceil cos fabs floor isalnum isalpha iscntrl isdigit isgraph islower isprint ispunct isspace isupper iswalpha iswctype iswdigit iswlower iswspace iswxdigit isxdigit labs log mbstowcs memchr memcmp memcpy memmove memset pow qsort sin sprintf sqrt sscanf strcat strchr strcmp strcpy strcspn strlen strncat strncmp strncpy strpbrk strrchr strspn strstr strtol strtoul swprintf tan tolower toupper towlower towupper vDbgPrintEx vDbgPrintExWithPrefix vsprintf wcscat wcschr wcscmp wcscpy wcscspn wcslen wcsncat wcsncmp wcsncpy wcspbrk wcsrchr wcsspn wcsstr wcstol wcstombs wcstoul
打印出ntdll.dll中所有函数名字和地址
dididisailor的博客
11-26 3480
0x01 打印出ntdll.dll中所有函数名字和地址 0x02 在任何进程中都可以找到ntdll.dll和kernel32.dll这个动态链接库的基地址,另外每一个动态链接库基地址实际上都存放在一个双向链表的节点上,只要找到这个双向链表,就可以找到所需要的动态链接库基地址,然后就可以调用乱七八糟的函数,将shellcode放在一个精妙的地方。 0x03 代码如下: // GetKern...
对TLS底层实现的详解
For Geek
05-12 2126
我在之前的博客里并未提及过Tls的底层初始化,现在好好来谈谈。 首先我们要知道Tls的初始化是在入口之前。先从一开始的LdrInitializeThunk说起,在调用LdrPEStartup时,其在修复完导入表后,调用了一次LdrpInitializeTlsForProccess,我们看看他是怎样处理的。 static NTSTATUS LdrpInitializeTlsForProccess(V...
NTDLL.dll5 : 导出函数表
it技术学习
07-29 3004
================================================== Function Name     : __isascii Address           : 0x7c94c8a2 Relative Address  : 0x0002c8a2 Ordinal           : 1185 (0x4a1) Filename          :
React OS 中的 Kernel32.dll & Ntdll.dll & ntoskrnl 所导出的函数
%50 perseverance, %40 effort, %5 luck, %5 optimism...
12-19 1048
好久没有更新了,一眼看去最后一次更新还是 07 年。相隔了一年多啊。今天记录一些研究 ROS 后的结论,防止以后忘记。 ROS 中(同理 Windows 中)的 App 所调用的 API 先是通过 Kernel32.dll 中的函数然后由此再通过 Ntdll 中的 "sysenter" 指令进入内核中的 ntoskrnl.exe 调用最后的函数。当然有些不需要进入内核的则直接在 Ker
神奇的记事本
Viper的专栏
10-08 6004
最初发表在我的QQ空间,见:http://user.qzone.qq.com/31731705/blog/1317393693 记事本是Windows系统上的老程序了,它的历史几乎和Windows一样久,其实,平凡的它也是一个神奇的程序。在Win7上,将c:\windows\s
【wine】【box86】Error: Symbol __prctl_time64 not found; try to launch natively instead 故障
最新发布
hknaruto的专栏
03-04 1219
匹配到二进制文件 lib/i386-linux-gnu/libc.so.6匹配到二进制文件 lib/i386-linux-gnu/libc.a。
chromium WinMain
飞鸟的专栏
05-26 2291
这里研究和分析一下chromium启动的初步,浅析一下
Reflective DLL Injection(字面翻译:反射dll注入)
GaA.Ra的自留地 in Csdn
06-06 9061
      这两天把印度佬的metasploit视频看完了.带着印度口音的英语伤不起啊(请自己想象生活大爆炸里Rajesh),但是这个印度佬的口音特别重,-___-,脑海里久久回荡着印度腔英语......     为什么会提到Reflective DLL Injection,看Metasploit Unleashed,里面提到神器meterpreter和vnc injection都是利用这
R0注入Dll到R3进程
墨鱼菜鸡
09-09 599
代码大部分都是CV(ctrl c+ctrl v)的(读书人的事情不能说抄是借鉴),注入参考的是Blackbone的代码,然后稍微改了改,经过测试能够分别注入x32和x64的进程,下面是代码。 原理也很简单,首先是附加到目标进程,获得目标进程的LdrLoadDll函数地址,申请地址空间构造函数call(x32和x64是分布进行构造的),之后获得ssdt表...
线程局部存储(TLS)
weixin_34409703的博客
04-10 451
线程局部存储,Part 1:概述 线程局部存储,Part 2:显式TLS 线程局部存储,Part 3:编译器和链接器对隐式TLS的支持 线程局部存储,Part 4:访问__declspec(thread)变量 线程局部存储,Part 5:加载器对__declspec(thread)变量的支持(进程初始化阶段) 线程局部存储,Part 6:Windows Server...
ntdll.dll导出函数统计
05-14
主要记录ntdll.dll导出的所有函数。可以查看所有导出的函数
windows xp sp3 系统ntdll.dll所有导出的API函数列表大全(整理在此,方便查阅,学习)
热门推荐
关注互联网安全的小虾米一枚
03-13 1万+
NTDLL  ntdll.dll是NT操作系统重要的模块。 XP的核心dll——ntdll.dll ordinal hint RVA name 8 0 0001D5A0 CsrAllocateCaptureBuffer 9 1 0001D601 CsrAllocateMessagePointer
LoadDll详解----衔接于上篇的DLL装载
For Geek
05-12 4270
根据我们上次所讲,其大概流程是差不多理清了,但是还有具体的一些细节和一个Tls的大头还没阐述,先把LoadDll的具体细节讲完,这里推荐大家去看毛德操先生的著作《内核情景分析》,这本书对ReactOS(一种也是基于NT的内核,但是不同于Windows,它是完全开源的)的解析入木三分,我读完这个DLL的装载后大有所获,所以强烈推荐这本好书!!! 好了,接下来就是我们的正题了先复习下调用流程。 Ldr...
pe启动逻辑记录[TLS_0]
weixin_30587927的博客
07-30 350
摘自reactos 1 /********************************************************************** 2 * NAME 3 * LdrPEStartup 4 * 5 * DESCRIPTION 6 * 1. Relocate, if needed the EXE. 7 * ...
深入探究Windows平台客户端安全问题-进程地址空间入侵和白加黑高阶利用
Less Is More
05-28 1万+
标 题: 深入探究Windows平台客户端安全问题-进程地址空间入侵和白加黑高阶利用 时 间: 2014-09-08,00:03:51 前言 为了避免被读者骂“标题党”,笔者在文章开头先澄清一下这个高大尚的“进程地址空间入侵”的可替代词语—注入。 看完第一句还能看到这里的读者一般有两种:1.初学者,实在是不懂所以需要学习的同学 2.大牛,只是想看看笔者打算怎么来炒“注入”这
ntdll.dll:
07-28
ntdll.dll是Windows操作系统中的一个重要的系统文件,它包含了许多系统函数和操作系统的核心功能。当系统中的某个程序需要使用这些功能时,它会调用ntdll.dll文件来执行相应的操作。\[1\] 如果在运行程序时出现ntdll.dll引发的异常,可能是由于该文件丢失或损坏导致的。解决这个问题的方法是重新下载ntdll.dll文件,并将其放置在程序所在的目录中,或者将其复制到对应的系统目录中,具体的目录路径取决于不同的Windows系统版本。然后,可以通过运行命令"regsvr32 ntdll.dll"来注册该文件,以解决错误提示。\[1\] 另外,有时候调试PCL代码时可能会出现ntdll.dll引发的异常,如0xC0000005读取位置0xFFFFFFFFFFFFFFFF时发生访问冲突。解决这个问题的方法是启用增强指令集,具体来说是使用高级矢量扩展(/arch:AVX)。\[3\] 总结起来,ntdll.dll是Windows操作系统中的一个重要系统文件,当出现相关的错误提示时,可以尝试重新下载并安装该文件,或者启用增强指令集来解决问题。\[1\]\[3\] #### 引用[.reference_title] - *1* *2* [ntdll.dll下载-ntdll.dll文件丢失的解决办法](https://blog.csdn.net/aa652525/article/details/126063550)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^control,239^v3^insert_chatgpt"}} ] [.reference_item] - *3* [PCL代码调试:ntdll.dll引发的异常:0xC0000005读取位置 0xFFFFFFFFFFFFFFFF 时发生访问冲突](https://blog.csdn.net/u012660296/article/details/129668582)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^control,239^v3^insert_chatgpt"}} ] [.reference_item] [ .reference_list ]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值