Stack Overflow
Stack Overflow

Questions tagged [ntdll]

NtDll.dll is the Windows system DLL exposing the Native API to user mode.

NtDll.dll is the Windows system DLL exposing the (Windows) Native API to user mode.

155 questions
2
votes
1 answer

Reading ntdll.dll + offset results in an access violation

I'm trying to read byte by byte the memory of ntdll.dll which is loaded inside my executable. The executable is compiled as a x32 executable on my x64 windows 7 machine. I wrote a function called FindPattern which receives a specific byte array and…
0xAK
  • 230
  • 2
  • 15
2
votes
2 answers

Access crash when hitting breakpoints

I've got a project in Access 2010 that runs without issues. That is, until I add a breakpoint and I try to debug code. As soon as it reaches the first breakpoint, the VBA project opens up and about 1 second later Access crashes and restarts. I can…
Cameron Castillo
  • 2,712
  • 10
  • 47
  • 77
2
votes
0 answers

How to get the Address of a ntdll function when it's loaded twice?

I intend to hook into a ntdll function ZwTerminateProcess, but am having a problem with x64, because if a x86 app is running in a windows x64 , it is loaded with two ntdlls: One from System32 path and the other one from SysWOW64. Until here I have…
user3078184
  • 21
  • 2
2
votes
0 answers

How to solve ntdll, msado15 and stackhash errors while running a windows app?

I have an app which is running perfectly in my system and also on a few other customers as well. But I have a particular customer for which this is not working. I have tried the following: Updating Windows. turning off firewall. turning off…
MK Singh
  • 706
  • 1
  • 13
  • 36
2
votes
0 answers

Qt Application crashes in Windows Server 2008, running fine in Windows server 2003

The crash details point to ntdll.dll When I searched on the internet, I see a lot of application problems reported in Windows 20008 Server because of this dll. My Windows Server 2008 machine is updated with latest packs and updates. Is this is OS…
Groovy
  • 516
  • 5
  • 16
2
votes
1 answer

Creating a process in memory C++

I've been working on this code for hours, and it is driving me crazy! The entire source is here http://pastebin.com/Urxh68W4 but I'm pretty sure I know the problem. extern "C" NTSYSAPI LONG NTAPI ZwUnmapViewOfSection(HANDLE, PVOID); When I run it I…
43.52.4D.
  • 950
  • 6
  • 14
  • 28
1
vote
1 answer

Use NtQueryInformationProcess to check for debugger attached

I am writing a simple C++ project on Microsoft's Visual Studio 2022, that uses NtQueryInformationProcess to check if a process is being debugged but it is not working. Here is my code: #include "Header.h" #include #include…
tu nguyen
  • 13
  • 2
1
vote
1 answer

How to be able to use NtUnmapViewOfSection from the Native API of windows?

I'm currently trying to implement some sort of a process hollowing (RunPE) technique, using C. Basically what I've done so far, is find the PEB and get the process's (in suspended mode) image base address. Now, I understand I have to use the…
nortain32
  • 69
  • 1
  • 7
1
vote
1 answer

C# How to import ntdll.dll to use NtDelayExecution and ZwSetTimerResolution?

I am new to C# and I am trying to use the NtDelayExecution and ZwSetTimerResolution functions from ntdll.dll in order to create a custom sleep timer. (Thread.sleep is not precise enough for my application). I have tried many different ways, but i'm…
user19202687
  • 13
  • 2
1
vote
0 answers

within ShGetFolderPathW handles are queried without previously being opened

I am monitoring some syscalls for ShGetFolderPathW(). To do that, I replaced ntdll's OpenKey, CreateKey, and QueryValueKey functions with my own via DLL injection: NTSTATUS NTAPI MyNtOpenKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess,…
ntdllnewbie.dll
  • 37
  • 4
1
vote
1 answer

NtQueryInformationProcess won't work in Visual Studio 2010

I have a strange problem that i didn't encounter before i must mention that my main programming language is delphi not c++ and i might do a stupid mistake and don't realise it. I have the following code : ULONG myret; PROCESS_BASIC_INFORMATION…
opc0de
  • 11,557
  • 14
  • 94
  • 187
1
vote
1 answer

inet_ntoa UNICODE or similar (convert IN_ADDR to UNICODE)

I have an application server built as UNICODE running on Windows only. The application accepts lots of clients using multithreading. Part of the application is responsible for logging connections, to log IPv4 addresses I convert them to UNICODE from…
Mecanik
  • 1,539
  • 1
  • 20
  • 50
1
vote
0 answers

Why it succeeds even if the value of ACCESS_MASK is 0 when calling ZwOpenKey

The driver I made does the job of verifying the Registry value in Kernel Mode. The code is below InitializeObjectAttributes(&ObjAttr,&RegKeyName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE | OBJ_OPENIF,NULL, NULL); ACCESS_MASK access_mask = 0; Status…
i like cat
  • 135
  • 8
1
vote
1 answer

(WinDbg) How can I switch back to the kernel context after I've switched into a process context with WinDbg (kernel-mode)?

Is there a way to switch back to the original context after I've switched to a process context with WinDbg? I've used these commands: To get the process address: !process 0 0 myprocess.exe and then to switch to myprocess.exe context this…
Giacomo Baldon
  • 11
  • 2
1
vote
0 answers

ntdll.dll XX.exe: 0xC0000139: Entry Point Not Found

I am trying to run this Example: Plane model segmentation using PCL and getting this error. I found that pcl::SACSegmentationpcl::PointXYZ seg; is making this problem. Any suggestion to fix it. Code: #include #include…
Shahgee
  • 3,303
  • 8
  • 49
  • 81
1 2
3
10 11