NtDll.dll is the Windows system DLL exposing the Native API to user mode.
NtDll.dll is the Windows system DLL exposing the (Windows) Native API to user mode.
Questions tagged [ntdll]
155 questions
1
vote
0 answers
NtCreateThreadEx not working on Windows 10 64bit 1909
Recently, I've studied dll injection techniques and I tested them. One of those was dll injection by CreateRemoteThread and NtCreateThreadEx. I investigated CreateRemoteThread and I fount out that it called NtCreateThreadEx internally. The thing is,…
Rapunzel
- 65
- 5
1
vote
1 answer
Does the NT DLL Loader load DLLs in the order of the import section of the executable?
If you have an executable on Windows, you can view its import section with the DUMPBIN utility (included e.g. in Visual Studio).
To get a list of all imported DLLs you can run something like this (just an arbitrary…
Martin Ba
- 37,187
- 33
- 183
- 337
1
vote
0 answers
Type not being imported properly
I have this code
EXTERN_C PEB* NTAPI RtlGetCurrentPeb(VOID);
The last compile this worked fine without issue, however now its telling me that PEB is an unknown type even though I'm importing winternl.h and I havent changed anything that I can think…
Tom
- 13
- 3
1
vote
1 answer
Creating a new registry key using the NtCreateKey() NTAPI function [NtOpenKey() function returns a NTSTATUS error value of -1073741772]
I am written the following code to create a new key in the registry but an NTSTATUS error value of -1073741772 is returned by the NtOpenKey() function when attempting to fetch the handle of the base key to create a new key.
typedef…
hecate
- 620
- 1
- 8
- 33
1
vote
0 answers
windows native functions in ntdll.dll in user mode moved to kernel mode
I was looking in my spartime at the ntdll.dll with IDA.
I used to use NtAccessCheckAndAuditAlarm/NtDisplayString to code egghunters in order to parse memory and check if i can read memory or not of a PE.
But it works in older version of windows,…
ginko
- 47
- 5
1
vote
2 answers
How save the address of original function and call this later?
I'm trying call the original function in a api hook that prevents dll injections by LdrLoadDll() function, but everytime when i try load a dll diferent of that are filtered, the application crashes and not is possible call original function. Seems…
user10702464
1
vote
0 answers
Strange behavior of System.Web.Sockets receiving info from socket
I have a code that use TCP connection to obtain data from server with two interfaces: binary and JSON. It works pretty fast and, what is logical, getting binary data is greatly faster than JSON. But it is true only when client is running at the same…
Artem Kurianov
- 64
- 8
1
vote
0 answers
Threading App crash ntdll.dll every 2 or 3 days
I have an app running on a client machine, that uses threading, and is working fine, until the problem arrives.
The app crash every 2 or 3 days, and I have to restart it.
This is the error information I can get from the Event Viewer on the client…
Jortx
- 707
- 1
- 7
- 22
1
vote
2 answers
relationsship between java and ntdll.dll
I have a java application (tomcat-app) using a JNI connection to a C-library in the background. In a very random way this java application crashs. I saw in the system events, that is crashed based on ntdll.dll, which is a system library in…
Alex
- 161
- 1
- 13
1
vote
3 answers
C - Stack allocation using only ntdll
Is there an API call or any another similar way, that uses only ntdll.dll, to allocate memory on the stack?
I know alloca() does that, but I can't use it because I can use only function from ntdll.dll.
Thanks!
macro_controller
- 1,469
- 1
- 14
- 32
1
vote
2 answers
Implement x86 to x64 assembly code switch
I was looking how NtDll works for x86 processes, and i debugged the function NtCreateFile using IDA PRO. The code for it is following:
mov eax, 55h ; NtCreateFile
mov edx, offset _Wow64SystemServiceCall@0 ;
call edx ;…
Vlad
- 369
- 4
- 16
1
vote
0 answers
Error With XmlDocument.load causing ntdll.dll error on exit of aplication
So I have a problem with the xmldocument.load function MSND Link . Specifically, it runs fine in the code but upon closing the program it causes an error in ntdll.dll.
Picture of Error
However, if I remove this function from the program I’m writing…
Gremwatch
- 11
- 2
1
vote
1 answer
Is this stack trace ending with _NtWaitForSingleObject@12() indicating a blocked or an idle thread?
I have an application that makes heavy use of the Task Parallel Library. As my application runs, I notice that the number of threads reported being used by ProcessExplorer at times exceeds 200 threads for my application and eventually the…
Ayo I
- 7,722
- 5
- 30
- 40
1
vote
1 answer
LibVLC Access Violation
I am trying to set up logging in LibVLC, and am running into some problems.
The function I am using is libvlc_log_set_file, here are the docs:
LibVLC logging docs
Here is the code I have now:
//header
private:
FILE * logFile;
//source
logFile =…
cascade256
- 41
- 6
1
vote
0 answers
MFC application works in Visual Studio but crashes with double click launch
I have a GUI application in MFC. For some reason, it works perfectly fine within Visual Studio Release and Debug mode, but crashes if the .exe is launched with a double click.
I cannot understand where this error could be, since it works perfectly…
user1173240
- 1,455
- 2
- 23
- 50