问题
I've just found out by accident that doing this GetModuleHandle("ntdll.dll")
works without a previous call to LoadLibrary("ntdll.dll")
.
This means ntdll.dll
is already loaded in my process.
Is it safe to assume that ntdll.dll
will always be loaded on Win32 applications, so that a call to LoadLibrary
is not necessary?
回答1:
From MSDN on LoadLibrary() (emphasis mine):
The system maintains a per-process reference count on all loaded modules. Calling LoadLibrary increments the reference count. Calling the FreeLibrary or FreeLibraryAndExitThread function decrements the reference count. The system unloads a module when its reference count reaches zero or when the process terminates (regardless of the reference count).
In other words, continue to call LoadLibrary() and ensure you get your handle to ntdll.dll
to be safe -- but the system will almost certainly be bumping a reference count as it should already be loaded.
As for "is it really always loaded?", see Windows Internals on the Image Loader (the short answer is yes, ntdll.dll
is part of the loader itself and is always present).
The relevant paragraph is:
The image loader lives in the user-mode system DLL Ntdll.dll and not in the kernel library. Therefore, it behaves just like standard code that is part of a DLL, and it is subject to the same restrictions in terms of memory access and security rights. What makes this code special is the guaranty that it will always be present in the running process (Ntdll.dll is always loaded) and that it is the first piece of code to run in user mode as part of a new application. (When the system builds the initial context, the program counter, or instruction pointer is set to an initialization function inside Ntdll.dll.)
来源:https://stackoverflow.com/questions/43617617/are-win32-applications-automatically-linked-against-ntdll-dll