<ins id="pjuwb"></ins>

<blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>

<noscript id="pjuwb"></noscript>

<sup id="pjuwb"><pre id="pjuwb"></pre></sup>

<dd id="pjuwb"></dd>

<abbr id="pjuwb"></abbr>

我生如山

[轉(zhuǎn)載]解剖XP最核心的dll——NTDLL.dll

原文地址：2.利用GetProcAddress 獲取其函數(shù)入口地址
3.利用得到的函數(shù)指針調(diào)用

但是可以大致的分為幾類吧
1 PropertyLengthAsVariant  它被排在了第一號(hào)，但是我就是不明白它是做什么的
2  Csr（configuration status register？ Command and Status Register？）系列
CsrAllocateCaptureBuffer CsrAllocateMessagePointer CsrCaptureMessageBuffer CsrCaptureMessageMultiUnicodeStringsInPlace
CsrCaptureMessageString CsrCaptureTimeout CsrClientCallServer CsrClientConnectToServer CsrFreeCaptureBuffer
CsrGetProcessId CsrIdentifyAlertableThread CsrNewThread CsrProbeForRead CsrProbeForWrite CsrSetPriorityClass

3 Dbg系列調(diào)試函數(shù)
DbgBreakPoint DbgPrint DbgPrintEx DbgPrintReturnControlC DbgPrompt DbgQueryDebugFilterState DbgSetDebugFilterState
DbgUiConnectToDbg DbgUiContinue DbgUiConvertStateChangeStructure DbgUiDebugActiveProcess DbgUiGetThreadDebugObject
DbgUiIssueRemoteBreakin DbgUiRemoteBreakin DbgUiSetThreadDebugObject DbgUiStopDebugging DbgUiWaitStateChange DbgUserBreakPoint

4 ki系列
KiRaiseUserExceptionDispatcher
KiUserApcDispatcher
KiUserCallbackDispatcher
KiUserExceptionDispatcher

5 Ldr系列  Loader APIs，共34個(gè)

API
NTDLL APIs
LoadResource
LdrAccessResource
LdrAlternateResourcesEnabled
DisableThreadLibraryCalls
LdrDisableThreadCalloutsForDll
LdrEnumResources
LdrFindAppCompatVariableInfo
LdrFindEntryForAddress
EnumResourceTypesW
LdrFindResourceDirectory_U
FindResourceExA
LdrFindResource_U
LdrFlushAlternateResourceModules
LdrGetAlternateResourceModuleHandle
GetModuleHandleForUnicodeString
LdrGetDllHandle
GetProcAddress
LdrGetProcedureAddress
LdrInitializeThunk
LoadLibraryEx (LOAD_LIBRARY_AS_DATAFILE)
LdrLoadAlternateResourceModule
LoadLibrary
LdrLoadDll
LdrProcessRelocationBlock
LdrQueryApplicationCompatibilityGoo
LdrQueryImageFileExecutionOptions
LdrQueryProcessModuleInformation
LdrRelocateImage
ExitProcess
LdrShutdownProcess
ExitThread
LdrShutdownThread
LdrUnloadAlternateResourceModule
FreeLibrary
LdrUnloadDll
LdrVerifyImageMatchesChecksum
LdrVerifyMappedImageMatchesChecksum

6 Nls（National Language Support）系列  代碼頁(yè)管理
NlsAnsiCodePage
NlsMbCodePageTag
NlsMbOemCodePageTag

7 Nt系列共285個(gè)，大部分都是kernel32.dll,user32.dll等的核心實(shí)現(xiàn)

NtCreateFile, NtOpenFile, NtClose, NtWaitForSingleObject 是kernel32.dll中許多用戶級(jí)代碼的核心實(shí)現(xiàn)。

NTSTATUS NtClose( HANDLE  Handle);
竟然是CloseHandle 的原身！唯一的缺點(diǎn)是該函數(shù)并沒(méi)有導(dǎo)出庫(kù)，如果要調(diào)用，就必須使用GetProcAddress 來(lái)獲得其函數(shù)指針然后調(diào)用。

NtCreateFile  可以說(shuō)是DDK的核心

RtlUnwind initiates an unwind of procedure call frames
結(jié)構(gòu)化異常（Structured Exception Handling, SEH ）的核心。

NTSTATUS NtWaitForSingleObject(  HANDLE Handle, BOOLEAN Alertable, PLARGE_INTEGER Timeout);
Waits until the specified object attains a state of signaled
我想，信號(hào)同步等，應(yīng)該與之有莫大的聯(lián)系吧

8 pfx 不明白
PfxFindPrefix
PfxInitialize
PfxInsertPrefix
PfxRemovePrefix

9 RestoreEm87Context SaveEm87Context

10 rtl系列共506個(gè)。我想，rtl應(yīng)該是runtime library的縮寫吧。一個(gè)很龐大的函數(shù)族，
里面包含像 RtlCreateUserProcess 這樣的一些很基本的函數(shù)，通常供內(nèi)核模式的driver等調(diào)用
下面是一部分示例
APIs Forwarded to NTDLL

API
Destination
DeleteCriticalSection
Forwarded to NTDLL.RtlDeleteCriticalSection
EnterCriticalSection
Forwarded to NTDLL.RtlEnterCriticalSection
HeapAlloc
Forwarded to NTDLL.RtlAllocateHeap
HeapFree
Forwarded to NTDLL.RtlFreeHeap
HeapReAlloc
Forwarded to NTDLL.RtlReAllocateHeap
HeapSize
Forwarded to NTDLL.RtlSizeHeap
LeaveCriticalSection
Forwarded to NTDLL.RtlLeaveCriticalSection
RtlFillMemory
Forwarded to NTDLL.RtlFillMemory
RtlMoveMemory
Forwarded to NTDLL.RtlMoveMemory
RtlUnwind
Forwarded to NTDLL.RtlUnwind
RtlZeroMemory
Forwarded to NTDLL.RtlZeroMemory
SetCriticalSectionSpinCount
Forwarded to NTDLL.RtlSetCriticalSection- SpinCount
TryEnterCriticalSection
Forwarded to NTDLL.RtlTryEnterCriticalSection
VerSetConditionMask
Forwarded to NTDLL.VerSetConditionMask

11 VerSetConditionMask 用于確認(rèn)系統(tǒng)信息
The VerSetConditionMask function sets the bits of a 64-bit value to indicate the comparison operator to use for a specified operating system version attribute.
This function is used to build the dwlConditionMask parameter of the VerifyVersionInfo function.

12 Zw系列共284個(gè)。前面已經(jīng)說(shuō)過(guò)，為可執(zhí)行性系統(tǒng)服務(wù)提供內(nèi)核模式的入口，為NTOSKRNL.EXE 提供實(shí)現(xiàn)。由于是內(nèi)核模式，所以在執(zhí)行的時(shí)候并不檢查用戶是否有執(zhí)行權(quán)限
13 內(nèi)部函數(shù) 共116個(gè)。具體作用不明，很底層的東西。無(wú)法查到任何相關(guān)資料。無(wú)法得知與其相關(guān)的任何信息。
_CIcos
_CIlog
_CIpow
_CIsin
_CIsqrt
__eCommonExceptions
__eEmulatorInit
__eF2XM1
__eFABS
__eFADD32
__eFADD64
__eFADDPreg
__eFADDreg
__eFADDtop
__eFCHS
__eFCOM
__eFCOM32
__eFCOM64
__eFCOMP
__eFCOMP32
__eFCOMP64
__eFCOMPP
__eFCOS
__eFDECSTP
__eFDIV32
__eFDIV64
__eFDIVPreg
__eFDIVR32
__eFDIVR64
__eFDIVRPreg
__eFDIVRreg
__eFDIVRtop
__eFDIVreg
__eFDIVtop
__eFFREE
__eFIADD16
__eFIADD32
__eFICOM16
__eFICOM32
__eFICOMP16
__eFICOMP32
__eFIDIV16
__eFIDIV32
__eFIDIVR16
__eFIDIVR32
__eFILD16
__eFILD32
__eFILD64
__eFIMUL16
__eFIMUL32
__eFINCSTP
__eFINIT
__eFIST16
__eFIST32
__eFISTP16
__eFISTP32
__eFISTP64
__eFISUB16
__eFISUB32
__eFISUBR16
__eFISUBR32
__eFLD1
__eFLD32
__eFLD64
__eFLD80
__eFLDCW
__eFLDENV
__eFLDL2E
__eFLDLN2
__eFLDPI
__eFLDZ
__eFMUL32
__eFMUL64
__eFMULPreg
__eFMULreg
__eFMULtop
__eFPATAN
__eFPREM
__eFPREM1
__eFPTAN
__eFRNDINT
__eFRSTOR
__eFSAVE __eFSCALE __eFSIN __eFSQRT __eFST __eFST32 __eFST64 __eFSTCW __eFSTENV __eFSTP __eFSTP32 __eFSTP64 __eFSTP80
__eFSTSW __eFSUB32 __eFSUB64 __eFSUBPreg __eFSUBR32 __eFSUBR64 __eFSUBRPreg __eFSUBRreg __eFSUBRtop __eFSUBreg __eFSUBtop
__eFTST __eFUCOM __eFUCOMP __eFUCOMPP __eFXAM __eFXCH __eFXTRACT __eFYL2X __eFYL2XP1 __eGetStatusWord

14 一些CRT的基本函數(shù) 共131個(gè) 主要是字符串管理，還有些基本的數(shù)學(xué)函數(shù)
__isascii __iscsym __iscsymf __toascii _alldiv _alldvrm _allmul _alloca_probe _allrem _allshl _allshr _atoi64 _aulldiv _aulldvrm _aullrem _aullshr _chkstk _fltused
_ftol _i64toa _i64tow _itoa _itow _lfind _ltoa _ltow _memccpy _memicmp _snprintf _snwprintf _splitpath _strcmpi _stricmp _strlwr _strnicmp _strupr _tolower
_toupper _ui64toa _ui64tow _ultoa _ultow _vsnprintf _vsnwprintf _wcsicmp _wcslwr _wcsnicmp _wcsupr _wtoi _wtoi64 _wtol abs atan atoi atol bsearch ceil
cos fabs floor isalnum isalpha iscntrl isdigit isgraph islower isprint ispunct isspace isupper iswalpha iswctype iswdigit iswlower iswspace iswxdigit isxdigit labs log
mbstowcs memchr memcmp memcpy memmove memset pow qsort sin sprintf sqrt sscanf strcat strchr strcmp strcpy strcspn strlen strncat strncmp strncpy strpbrk
strrchr strspn strstr strtol strtoul swprintf tan tolower toupper towlower towupper vDbgPrintEx vDbgPrintExWithPrefix vsprintf wcscat wcschr wcscmp wcscpy
wcscspn wcslen wcsncat wcsncmp wcsncpy wcspbrk wcsrchr wcsspn wcsstr wcstol wcstombs wcstoul

posted on 2009-05-21 15:23 悟山閱讀(1165) 評(píng)論(0) 編輯收藏引用

只有注冊(cè)用戶登錄后才能發(fā)表評(píng)論。
【推薦】100%開(kāi)源！大型工業(yè)跨平臺(tái)軟件C++源碼提供，建模，組態(tài)！



網(wǎng)站導(dǎo)航: 博客園 IT新聞 BlogJava 博問(wèn) Chat2DB 管理

久久精品国产亚洲AV忘忧草18| 亚洲国产精品无码久久久不卡 | 日本亚洲色大成网站WWW久久| 国产精品成人久久久久三级午夜电影| 美女写真久久影院| 亚洲精品tv久久久久| 久久久久亚洲AV无码网站| 久久久九九有精品国产| 久久久无码精品亚洲日韩蜜臀浪潮| 国产三级精品久久| 伊人久久大香线蕉无码麻豆| 久久国产乱子伦免费精品| 精品久久人人做人人爽综合| 香蕉久久av一区二区三区| 国产69精品久久久久9999| 亚洲中文字幕久久精品无码APP| 一本久久久久久久| 久久99精品久久久久久hb无码 | 天天躁日日躁狠狠久久| 久久99久久无码毛片一区二区| 一本久久知道综合久久| 久久精品国产一区二区电影| 人妻无码αv中文字幕久久琪琪布| 国产无套内射久久久国产| 99re久久精品国产首页2020| 久久无码国产专区精品| 久久久久久毛片免费看| 久久久久夜夜夜精品国产| 久久精品国产亚洲av麻豆色欲| 亚洲综合久久夜AV | 日韩中文久久| 欧美精品丝袜久久久中文字幕 | 国产免费久久精品99久久| 久久亚洲AV成人无码国产| 久久久久亚洲av综合波多野结衣| 久久99精品久久久久久秒播| 国产精品久久精品| 久久国产精品一区二区| 国产一区二区三区久久| 91久久香蕉国产熟女线看| 四虎国产永久免费久久|