複製鏈接
請複製以下鏈接發送給好友

ntdll.dll

鎖定
ntdll.dll是重要的Windows NT內核級文件。描述了windows本地NTAPI的接口。當Windows啓動時,ntdll.dll就駐留在內存中特定的寫保護區域,使別的程序無法佔用這個內存區域。
中文名
ntdll.dll
外文名
NT Layer DLL
版    本
6.3.9600.17736
DLL 名稱
NT Layer DLL

ntdll.dll描述

ntdll.dll是NT操作系統重要的模塊。 [1] 
ntdll.dll是Windows系統從ring3到ring0的入口。位於Kernel32.dll和user32.dll中的所有win32 API 最終都是調用ntdll.dll中的函數實現的。ntdll.dll中的函數使用SYSENTRY進入ring0,函數的實現實體在ring0中。 [1] 
ntdll.dll
ntdll.dll(20張)
常見錯誤: File Not Found, Missing File, Exception Errors

ntdll.dll詳細介紹

打開NTDLL.dll,發現CRT的許多基本函數都是在這裏實現的。包括qsort,ceil這樣的函數,還有strcpy堆的釋放,進程管理,似乎都是在ntdll中實現。
用户模式的代碼在調用系統內核函數的時候,首先把一個叫做system call number的數放在EAX中,把參數放在其它的寄存器中了。然後調用INT 2E中斷。但是大部分應用程序並不需要直接這麼做。通常都是在調用kernel32.dll等時由他們來調用INT 2E.
內核模式的代碼,做法稍微有點不同。他們通常調用由NTOSKRNL.EXE導出的NTDLL.dll中Zw開頭的那一系列函數,比如 ZwWaitForSingleObject, 反之,如果是用户級代碼需要調用內核,就會利用INT 2E調用WaitForSingleObject.對於許多函數的批量調用,你會明顯發現 Zw族要比Rtl族效率高很多。
ntdll.dll中的大部分函數都是在MSDN中找不到描述的,因為這些函數介於Windows API與內核API之間,微軟並未公開全部的內核函數. [1] 

ntdll.dll函數調用

對於一部分得知其定義形式的函數,可以這樣調用: [2] 
//C language


//以進程掛起函數NtSuspendProcess為例



//define function

typedef LONG (NTAPI * _____NtSuspendProcess)(IN HANDLE);



//Get Process Address (from ntdll.dll)

_____NtSuspendProcess NtSuspendProcess=(_____NtSuspendProcess)GetProcAddress(GetModuleHandle("ntdll"),"NtSuspendProcess");



//In function "main"
//Suspend itself:

NtSuspendProcess(GetCurrentProcess());




//代碼在Mingw g++ 4.8.7(Windows 8.1 64bit)編譯通過

//運行時程序理應有SE_DEBUG_NAME特權

[3] 

ntdll.dll部分函數

Csr系列
(configuration status register? Command and Status Register?)
CsrAllocateCaptureBuffer
CsrAllocateMessagePointer
CsrCaptureMessageBuffer
CsrCaptureMessageMultiUnicodeStringsInPlace
CsrCaptureMessageString
CsrCaptureTimeout
CsrClientCallServer
CsrClientConnectToServer
CsrFreeCaptureBuffer
CsrGetProcessId
CsrIdentifyAlertableThread
CsrNewThread
CsrProbeForRead
CsrProbeForWrite
CsrSetPriorityClass
Dbg系列 調試函數
DbgBreakPoint
DbgPrint
DbgPrintEx
DbgPrintReturnControlC
DbgPrompt
DbgQueryDebugFilterState
DbgSetDebugFilterState 6
DbgUiConnectToDbg
DbgUiContinue
DbgUiConvertStateChangeStructure
DbgUiDebugActiveProcess
DbgUiGetThreadDebugObject
DbgUiIssueRemoteBreakin
DbgUiRemoteBreakin
DbgUiSetThreadDebugObject
DbgUiStopDebugging
DbgUiWaitStateChange
DbgUserBreakPoint
Ki系列
KiRaiseUserExceptionDispatcher
KiUserApcDispatcher
KiUserCallbackDispatcher
KiUserExceptionDispatcher
Ldr系列 Loader APIs
(共34個API,NTDLL APIs)
LoadResource
LdrAccessResource
LdrAlternateResourcesEnabled
LdrDisableThreadCalloutsForDll
LdrEnumResources
LdrFindAppCompatVariableInfo
LdrFindEntryForAddress
EnumResourceTypesW
LdrFindResourceDirectory_U
FindResourceExA
LdrFindResource_U
LdrFlushAlternateResourceModules
LdrGetAlternateResourceModuleHandle
GetModuleHandleForUnicodeString
LdrGetDllHandle
GetProcAddress
LdrGetProcedureAddress
LdrInitializeThunk
LoadLibraryEx (LOAD_LIBRARY_AS_DATAFILE)
LdrLoadAlternateResourceModule
LoadLibrary
LdrLoadDll
LdrProcessRelocationBlock
LdrQueryApplicationCompatibilityGoo
LdrQueryImageFileExecutionOptions
LdrQueryProcessModuleInformation
LdrRelocateImage
ExitProcess
LdrShutdownProcess
ExitThread
LdrShutdownThread
LdrUnloadAlternateResourceModule
FreeLibrary
LdrUnloadDll
LdrVerifyImageMatchesChecksum
LdrVerifyMappedImageMatchesChecksum
Nls系列
代碼頁管理(National Language Support)
NlsAnsiCodePage
NlsMbCodePageTag
NlsMbOemCodePageTag
Nt系列及其他
(從process explorer上找到的一些函數)
NtQuerySystemInformation
NtQuerySymbolicLinkObject
NtQueryDirectoryObject
NtOpenSymbolicLinkObject
NtOpenDirectoryObject
NtQueryObject
NtQueryInformationProcess
NtSetInformationProcess
NtQuerySemaphore
NtQuerySection
NtQueryEvent
NtQueryMutant
NtResumeThread
NtSuspendThread
NtOpenThread
NtQueryInformationThread
NtQueryVirtualMemory
RtlCreateQueryDebugBuffer
RtlQueryProcessDebugInformation
RtlDestroyQueryDebugBuffer
RtlTimeToTimeFields
PropertyLengthAsVariant [4] 

ntdll.dll英文解釋

NTDLL.DLL exports the WindowsNative API. The Native API is the interface used by user-mode components of the operating system that must run without support from Win32 or other API subsystems. Most of this API is implemented inNTDLL.DLLand at the upper edge ofntoskrnl.exe(and its variants), and the majority of exported symbols within these libraries are prefixedNt, for exampleNtDisplayString. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by KERNEL32.DLL.The large majority of Windows applications do not call NTDLL.DLL directly.
Applications that arelinkeddirectly against this library are known asnative applications; the primary reason for their existence is to perform tasks that must run early in the system startup sequence before the Win32 subsystem is available. An obvious but important example is the creation of the Win32 subsystem process,csrss.exe. Before the csrss.exe process exists, no Win32 processes may be created, therefore the process that creates it (Smss.exe, the "session manager") must be a native application.csrss.exeitself is a native application.
Despite having an ".exe" file extension, native applications cannot be executed by the user (or any program in the Win32 or other subsystems). An example is theautochk.exebinary that runschkdskduring the system initialization "Blue Screen". Other prominent examples are the services that implement the various subsystems, such ascsrss.exe.
UnlikeWin32applications, native applications instantiate within the Kernel runtime code (ntoskrnl.exe) and so they must have a different entry point (NtProcessStartup, rather than(w)(Win)MainCRTStartupas is found in a Win32 application),obtain their command-line arguments via a pointer to an in-memory structure, manage their own memory using theRtlheap API,(which the Win32 heap APIs are just wrappers around -- no real difference there) and return execution with a call toNtTerminateProcess(as opposed toExitProcess). A common library linked with Native applications is nt.lib, which contains startup code for Native applications, similar to how the C runtime provides startup code for Win32 apps.
Though most of the API is undocumented, Native Applications can be built using theWindows Driver Development Kit; manyAntiVirusand other utility software vendors incorporate Native Applications within their products, usually to perform some boot-time task that cannot be carried out inuserspace.
參考資料