Win32应用程序是否自动链接到ntdll.dll? [英] Are Win32 applications automatically linked against ntdll.dll?
问题描述
我只是偶然地发现,执行此 GetModuleHandle( ntdll.dll)无需事先调用 LoadLibrary( ntdll.dll)。
I've just found out by accident that doing this GetModuleHandle("ntdll.dll") works without a previous call to LoadLibrary("ntdll.dll").
这意味着 ntdll.dll 已加载我的进程。
This means ntdll.dll is already loaded in my process.
可以安全地假设 ntdll.dll 将始终加载到Win32应用程序上,这样
Is it safe to assume that ntdll.dll will always be loaded on Win32 applications, so that a call to LoadLibrary is not necessary?
推荐答案
来自在LoadLibrary()上使用MSDN (强调我的):
系统会在所有已加载的
模块上维护每个进程的引用计数。调用LoadLibrary会增加引用计数。调用
会导致FreeLibrary或FreeLibraryAndExitThread函数减少
引用计数。当其引用计数
达到零或进程终止时(与
引用计数无关),系统将卸载模块。
The system maintains a per-process reference count on all loaded modules. Calling LoadLibrary increments the reference count. Calling the FreeLibrary or FreeLibraryAndExitThread function decrements the reference count. The system unloads a module when its reference count reaches zero or when the process terminates (regardless of the reference count).
换句话说,继续调用LoadLibrary()并确保您可以安全地使用 ntdll.dll 的句柄-但系统几乎可以肯定是
In other words, continue to call LoadLibrary() and ensure you get your handle to ntdll.dll to be safe -- but the system will almost certainly be bumping a reference count as it should already be loaded.
至于是否真的总是加载?,请参见映像加载程序上的Windows内部构件(简短的回答是, ntdll.dll 是加载程序本身的一部分,并且始终存在)。
As for "is it really always loaded?", see Windows Internals on the Image Loader (the short answer is yes, ntdll.dll is part of the loader itself and is always present).
相关段落为:
图像加载器存在在用户模式系统DLL Ntdll.dll 中,而不在内核中 图书馆。因此,它的行为就像是DLL一部分的标准代码一样,并且在内存访问和安全权限方面受到相同的限制。使得此代码与众不同的是,它保证始终在运行的进程中出现( Ntdll.dll始终被加载),并且它是作为用户代码一部分在用户模式下运行的第一段代码一个新的应用程序。 (当系统构建初始上下文时,程序计数器或指令指针将设置为Ntdll.dll中的初始化函数。)
The image loader lives in the user-mode system DLL Ntdll.dll and not in the kernel library. Therefore, it behaves just like standard code that is part of a DLL, and it is subject to the same restrictions in terms of memory access and security rights. What makes this code special is the guaranty that it will always be present in the running process (Ntdll.dll is always loaded) and that it is the first piece of code to run in user mode as part of a new application. (When the system builds the initial context, the program counter, or instruction pointer is set to an initialization function inside Ntdll.dll.)
这篇关于Win32应用程序是否自动链接到ntdll.dll?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
