Are Win32 applications automatically associated with ntdll.dll?
I just happened to find out that doing this GetModuleHandle("ntdll.dll")
works without a previous call LoadLibrary("ntdll.dll")
.
This means it is ntdll.dll
already loaded into my process.
Is it safe to assume that ntdll.dll
it will always boot in Win32 applications so no call LoadLibrary
is needed?
source to share
From MSDN to LoadLibrary () (emphasis mine):
The system maintains reference counting per process for all loaded modules. The LoadLibrary call increments the reference count. Calling the FreeLibrary or FreeLibraryAndExitThread function decrements the reference count. The system unloads a module when its reference count reaches zero or when the process terminates (regardless of the reference count).
In other words, keep calling LoadLibrary () and make sure your handle ntdll.dll
is safe, but the system will almost certainly run into the reference count since it should already be loaded.
For "is it really loaded?" See Windows Internal Windows on Image Loader (the short answer is yes, ntdll.dll
is part of the bootloader itself and is always present).
Relevant item:
The image loader lives in the system DLL Ntdll.dll in user mode, not in a kernel library. Thus, it behaves exactly like standard code that is part of a DLL, and it is subject to the same memory access and security restrictions. What makes this code special is the assurance that it will always be present in the current process ( Ntdll.dll is always loaded ) and that it is the first piece of code to run in user mode as part of a new application. (When the system creates the initial context, the program counter or instruction pointer is set to the initialization function inside Ntdll.dll.)
source to share