ntdll.dll

ntdll.dll是NT操作系統重要的模塊。 ^[1] 

ntdll.dll是Windows系統從ring3到ring0的入口。位於Kernel32.dll和user32.dll中的所有win32 API 最終都是調用ntdll.dll中的函數實現的。ntdll.dll中的函數使用SYSENTRY進入ring0，函數的實現實體在ring0中。 ^[1] 

ntdll.dll(20張)

常見錯誤： File Not Found, Missing File, Exception Errors

打開NTDLL.dll,發現CRT的許多基本函數都是在這裏實現的。包括qsort,ceil這樣的函數，還有strcpy堆的釋放，進程管理，似乎都是在ntdll中實現。

用户模式的代碼在調用系統內核函數的時候，首先把一個叫做system call number的數放在EAX中，把參數放在其它的寄存器中了。然後調用INT 2E中斷。但是大部分應用程序並不需要直接這麼做。通常都是在調用kernel32.dll等時由他們來調用INT 2E.

內核模式的代碼，做法稍微有點不同。他們通常調用由NTOSKRNL.EXE導出的NTDLL.dll中Zw開頭的那一系列函數，比如 ZwWaitForSingleObject，　反之，如果是用户級代碼需要調用內核，就會利用INT 2E調用WaitForSingleObject.對於許多函數的批量調用，你會明顯發現 Zw族要比Rtl族效率高很多。

ntdll.dll中的大部分函數都是在MSDN中找不到描述的，因為這些函數介於Windows API與內核API之間，微軟並未公開全部的內核函數. ^[1] 

對於一部分得知其定義形式的函數，可以這樣調用： ^[2] 

//C language


//以進程掛起函數NtSuspendProcess為例



//define function

typedef LONG (NTAPI * _____NtSuspendProcess)(IN HANDLE);



//Get Process Address (from ntdll.dll)

_____NtSuspendProcess NtSuspendProcess=(_____NtSuspendProcess)GetProcAddress(GetModuleHandle("ntdll"),"NtSuspendProcess");



//In function "main"
//Suspend itself:

NtSuspendProcess(GetCurrentProcess());




//代碼在Mingw g++ 4.8.7(Windows 8.1 64bit)編譯通過

//運行時程序理應有SE_DEBUG_NAME特權

^[3] 

Csr系列

(configuration status register？ Command and Status Register？)

CsrAllocateCaptureBuffer

CsrAllocateMessagePointer

CsrCaptureMessageBuffer

CsrCaptureMessageMultiUnicodeStringsInPlace

CsrCaptureMessageString

CsrCaptureTimeout

CsrClientCallServer

CsrClientConnectToServer

CsrFreeCaptureBuffer

CsrGetProcessId

CsrIdentifyAlertableThread

CsrNewThread

CsrProbeForRead

CsrProbeForWrite

CsrSetPriorityClass

Dbg系列 調試函數

DbgBreakPoint

DbgPrint

DbgPrintEx

DbgPrintReturnControlC

DbgPrompt

DbgQueryDebugFilterState

DbgSetDebugFilterState 6

DbgUiConnectToDbg

DbgUiContinue

DbgUiConvertStateChangeStructure

DbgUiDebugActiveProcess

DbgUiGetThreadDebugObject

DbgUiIssueRemoteBreakin

DbgUiRemoteBreakin

DbgUiSetThreadDebugObject

DbgUiStopDebugging

DbgUiWaitStateChange

DbgUserBreakPoint

Ki系列

KiRaiseUserExceptionDispatcher

KiUserApcDispatcher

KiUserCallbackDispatcher

KiUserExceptionDispatcher

Ldr系列 Loader APIs

(共34個API,NTDLL APIs)

LoadResource

LdrAccessResource

LdrAlternateResourcesEnabled

LdrDisableThreadCalloutsForDll

LdrEnumResources

LdrFindAppCompatVariableInfo

LdrFindEntryForAddress

EnumResourceTypesW

LdrFindResourceDirectory_U

FindResourceExA

LdrFindResource_U

LdrFlushAlternateResourceModules

LdrGetAlternateResourceModuleHandle

GetModuleHandleForUnicodeString

LdrGetDllHandle

GetProcAddress

LdrGetProcedureAddress

LdrInitializeThunk

LoadLibraryEx (LOAD_LIBRARY_AS_DATAFILE)

LdrLoadAlternateResourceModule

LoadLibrary

LdrLoadDll

LdrProcessRelocationBlock

LdrQueryApplicationCompatibilityGoo

LdrQueryImageFileExecutionOptions

LdrQueryProcessModuleInformation

LdrRelocateImage

ExitProcess

LdrShutdownProcess

ExitThread

LdrShutdownThread

LdrUnloadAlternateResourceModule

FreeLibrary

LdrUnloadDll

LdrVerifyImageMatchesChecksum

LdrVerifyMappedImageMatchesChecksum

Nls系列

代碼頁管理(National Language Support)

NlsAnsiCodePage

NlsMbCodePageTag

NlsMbOemCodePageTag

Nt系列及其他

(從process explorer上找到的一些函數)

NtQuerySystemInformation

NtQuerySymbolicLinkObject

NtQueryDirectoryObject

NtOpenSymbolicLinkObject

NtOpenDirectoryObject

NtQueryObject

NtQueryInformationProcess

NtSetInformationProcess

NtQuerySemaphore

NtQuerySection

NtQueryEvent

NtQueryMutant

NtResumeThread

NtSuspendThread

NtOpenThread

NtQueryInformationThread

NtQueryVirtualMemory

RtlCreateQueryDebugBuffer

RtlQueryProcessDebugInformation

RtlDestroyQueryDebugBuffer

RtlTimeToTimeFields

PropertyLengthAsVariant ^[4] 

NTDLL.DLL exports the WindowsNative API. The Native API is the interface used by user-mode components of the operating system that must run without support from Win32 or other API subsystems. Most of this API is implemented inNTDLL.DLLand at the upper edge ofntoskrnl.exe(and its variants), and the majority of exported symbols within these libraries are prefixedNt, for exampleNtDisplayString. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by KERNEL32.DLL.The large majority of Windows applications do not call NTDLL.DLL directly.

Applications that arelinkeddirectly against this library are known asnative applications; the primary reason for their existence is to perform tasks that must run early in the system startup sequence before the Win32 subsystem is available. An obvious but important example is the creation of the Win32 subsystem process,csrss.exe. Before the csrss.exe process exists, no Win32 processes may be created, therefore the process that creates it (Smss.exe, the "session manager") must be a native application.csrss.exeitself is a native application.

Despite having an ".exe" file extension, native applications cannot be executed by the user (or any program in the Win32 or other subsystems). An example is theautochk.exebinary that runschkdskduring the system initialization "Blue Screen". Other prominent examples are the services that implement the various subsystems, such ascsrss.exe.

UnlikeWin32applications, native applications instantiate within the Kernel runtime code (ntoskrnl.exe) and so they must have a different entry point (NtProcessStartup, rather than(w)(Win)MainCRTStartupas is found in a Win32 application),obtain their command-line arguments via a pointer to an in-memory structure, manage their own memory using theRtlheap API,(which the Win32 heap APIs are just wrappers around -- no real difference there) and return execution with a call toNtTerminateProcess(as opposed toExitProcess). A common library linked with Native applications is nt.lib, which contains startup code for Native applications, similar to how the C runtime provides startup code for Win32 apps.

Though most of the API is undocumented, Native Applications can be built using theWindows Driver Development Kit; manyAntiVirusand other utility software vendors incorporate Native Applications within their products, usually to perform some boot-time task that cannot be carried out inuserspace.