Highest Voted 'ntdll' Questions

1

vote

1 answer

MFC application Crashes in NTDLL.dll

I have an MFC based application. It keeps looking for a file after few seconds (using CreateTimerQueueTimer based timer) and perform some action. This is always crashing (for unknown reason) on XP. This application works fine on windows 7 and…

asked Jun 17 '15 at 13:13

DTdev

538
1
18
32

1

vote

2 answers

How can I determine which Windows DLL is being used for a function call?

I've been looking into _vsnprintf and have learnt that it is available in ntdll.dll and msvcrt.dll. I can use GetModuleHandle and GetProcAddress to access _vsnprintf, for example: static int(__cdecl *p__vsnprintf)(char *str, size_t count, const char…

c++ windows dll msvcrt ntdll

asked Jan 05 '15 at 06:52

Hugh McMaster

319
3
10

1

vote

1 answer

OllyDBG and Dumpbin do not give same disassembly

I'm trying to disassemble ntdll.dll to look at some Native API libraries. I tried in both on OllyDBG (by using loaddll.exe) and using dumpbin with the /disasm option. It seems like the output of both programs are very different. Firstly, the memory…

ollydbg dumpbin ntdll

asked Jan 01 '15 at 00:42

Abundance

1,963
3
24
46

1

vote

1 answer

debugging USB read

I am debugging some code that uses a 3rd party 64-bit DLL to access a custom USB device. My environment is Microsoft Visual Studio 2012 on Windows 8.1 x64. According to an incomplete and unreliable document, the DLL is supposed to issue a…

winapi usb ntdll deviceiocontrol

asked May 25 '14 at 12:36

Alex Cohn

56,089
9
113
307

1

vote

1 answer

Unwanted breakpoint in ntdll.dll!_LdrpSnapThunk@36() + 0xf5 bytes

I'm debugging an Outlook add-in DLL in the following environment: Windows 7 x64 Office 2013 Click-to-Run x86 Visual Studio 2010 Native only (C++) "Show loader snaps" is disabled on the system level and for outlook.exe in both the x86 and x64…

c++ visual-studio-2010 debugging ntdll

asked Apr 04 '14 at 19:24

Liron

194
9

1

vote

1 answer

Hooking NtCreateFile API from ntdll.dll with EasyHook (c#)

This is the first time I try to hook windows API. My goal is to monitor all files that a process is going to create/open/read/write. In order to be the most verbose possible, I decided to hook the ntdll.dll API such as NtCreateFile() and…

winapi hook kernel32 ntdll easyhook

asked Nov 15 '13 at 08:53

Alberto Geniola

145
2
8

1

vote

1 answer

Do Windows NT Native Applications have access to x86 software interrupts (like int 19)?

Let's say I want to write an application or driver that runs in Windows NT Native mode (ie uses nothing but NTDLL.DLL functions and runs when ntoskrnl.exe starts. Would this application have access to x86 interrupts? IE, could I write code like…

x86 interrupt kernel-mode ntdll

asked Oct 25 '13 at 21:55

Govind Parmar

20,656
7
53
85

1

vote

1 answer

Does the Windows Kernel have a copy-on-write fork() instruction?

Because POSIX.1 compliance was a mandatory goal for Windows, the operating system was designed to ensure that the required base system support was present to allow for the implementation of a POSIX.1 subsystem (such as the fork function,…

windows kernel fork copy-on-write ntdll

asked May 03 '13 at 02:42

Maarten

4,549
4
31
36

1

vote

0 answers

Runtime error in ntdll on Windows XP running g++

So I have this cpp file, a constructor to my cl_Page class. cl_Page::cl_Page(cl_SoftRoot *parent_param)/* : bgimage(nullptr)*/{ parent_softroot = parent_param; parent_type = 2; id[0] = '\0'; SetColor(bgcolor, 0xffffffff); …

c++ g++ ntdll

asked Feb 07 '13 at 16:06

Edward B.

417
1
6
15

1

vote

2 answers

Interpret Windows Native API call arguments

I am analyzing an executable based on its execution trace. I have obtained the execution trace using NtTrace tool. The output is a sequence of native api calls with arguments. I have managed to interpret most of the API calls except the following…

winapi kernel kernel32 ntdll nt-native-api

asked Jan 15 '13 at 21:04

Maggie

5,923
8
41
56

1

vote

1 answer

How to convert 32 bit NTDLL structures to 64 bit structures?

I have a code where i use NtQuerySystemInformation, NtDuplicateObject and NtQueryObject functions to query for opened handles. I use these structures: typedef NTSTATUS ( NTAPI *_NtQuerySystemInformation ) ( ULONG SystemInformationClass, PVOID…

c windows 64-bit 32-bit ntdll

asked Dec 05 '12 at 22:57

kampi

2,362
12
52
91

1

vote

2 answers

Mapping high-level functions in user-mode dlls to NTDLL.dll

The book Windows NT/2000 Native API Reference provides a comprehensive documentation (even though outdated) of undocumented (by Microsoft) Native APIs. But I am curious, is there anyway to find the mappings between low-level functions declared in…

c++ api dll ntdll nt-native-api

asked Oct 25 '12 at 21:02

Maggie

5,923
8
41
56

1

vote

1 answer

How to determine an order of opening files for a process?

Is there a way to get all opened file handles for a process and arrange it by time files were opened? We have a project, which requires exactly this - we need to determine which files are opened by a Dj software, such as Traktor or Serato. The…

c++ winapi internal ntdll

asked Oct 03 '12 at 14:45

Roman Kruglov

3,375
2
40
46

0

votes

0 answers

Process hollowing - problem with getting the PEB address, apparently

I am trying to implement basic process hollowing in a 32 bit process, in C. #include #include #include int main(int argc, char* argv[]) { STARTUPINFOW si = { 0 }; PROCESS_INFORMATION pi = { 0 }; //…

c winapi process ntdll

asked Apr 11 '23 at 18:32

preno1221

1
4

0

votes

0 answers

Are ntdll's exported functions the same whatever the version?

I am currently planning on hooking some ntdll's exported functions to monitor them. I would like this idea to work on every sub-version of Windows 10 and 11. On every computers I checked, the exported functions that got my interest were defined…

windows assembly x86-64 wow64 ntdll

asked Mar 01 '23 at 15:26

Nox

713
7
16

Questions tagged [ntdll]