Win32 应用程序是否自动链接到 ntdll.dll?
Are Win32 applications automatically linked against ntdll.dll?
我刚刚偶然发现执行此 GetModuleHandle("ntdll.dll")
无需事先调用 LoadLibrary("ntdll.dll")
。
这意味着 ntdll.dll
已经加载到我的进程中。
可以安全地假设 ntdll.dll
将始终加载到 Win32 应用程序上,因此不需要调用 LoadLibrary
吗?
来自 MSDN on LoadLibrary()(强调我的):
The system maintains a per-process reference count on all loaded
modules. Calling LoadLibrary increments the reference count. Calling
the FreeLibrary or FreeLibraryAndExitThread function decrements the
reference count. The system unloads a module when its reference count
reaches zero or when the process terminates (regardless of the
reference count).
换句话说,继续调用 LoadLibrary() 并确保您获得 ntdll.dll
的句柄以确保安全——但系统几乎肯定会增加引用计数,因为它应该已经加载。
至于“它真的总是加载吗?”,参见Windows Internals on the Image Loader(简短的回答是肯定的,ntdll.dll
是加载程序本身的一部分,并且始终存在)。
相关段落是:
The image loader lives in the user-mode system DLL Ntdll.dll and not in the kernel library. Therefore, it behaves just like standard code that is part of a DLL, and it is subject to the same restrictions in terms of memory access and security rights. What makes this code special is the guaranty that it will always be present in the running process (Ntdll.dll is always loaded) and that it is the first piece of code to run in user mode as part of a new application. (When the system builds the initial context, the program counter, or instruction pointer is set to an initialization function inside Ntdll.dll.)
我刚刚偶然发现执行此 GetModuleHandle("ntdll.dll")
无需事先调用 LoadLibrary("ntdll.dll")
。
这意味着 ntdll.dll
已经加载到我的进程中。
可以安全地假设 ntdll.dll
将始终加载到 Win32 应用程序上,因此不需要调用 LoadLibrary
吗?
来自 MSDN on LoadLibrary()(强调我的):
The system maintains a per-process reference count on all loaded modules. Calling LoadLibrary increments the reference count. Calling the FreeLibrary or FreeLibraryAndExitThread function decrements the reference count. The system unloads a module when its reference count reaches zero or when the process terminates (regardless of the reference count).
换句话说,继续调用 LoadLibrary() 并确保您获得 ntdll.dll
的句柄以确保安全——但系统几乎肯定会增加引用计数,因为它应该已经加载。
至于“它真的总是加载吗?”,参见Windows Internals on the Image Loader(简短的回答是肯定的,ntdll.dll
是加载程序本身的一部分,并且始终存在)。
相关段落是:
The image loader lives in the user-mode system DLL Ntdll.dll and not in the kernel library. Therefore, it behaves just like standard code that is part of a DLL, and it is subject to the same restrictions in terms of memory access and security rights. What makes this code special is the guaranty that it will always be present in the running process (Ntdll.dll is always loaded) and that it is the first piece of code to run in user mode as part of a new application. (When the system builds the initial context, the program counter, or instruction pointer is set to an initialization function inside Ntdll.dll.)