天道酬勤,学无止境

ntdll

What is the difference between NtCreateProcess and ZwCreateProcess?

Question What is the difference between NtCreateProcess and ZwCreateProcess? In ntdll.dll, both NtCreateProcess and ZwCreateProcess point to exactly the same address Answer1 In user-mode the groups of Nt and Zw APIs are identical. In kernel mode they are different. The Nt API contains the actual implementation. The Zw API uses a system-call mechanism and ensures that it is calling in kernel-mode and that there is no need to check the parameters if they contain user-mode addresses. Otherwise you could use the API from user-mode with kernel parameters which would not be good. So it is just a

2022-01-15 08:03:41    分类:技术分享    windows   winapi   createprocess   kernel-mode   ntdll

Unexplained crashes related to ntdll.dll

Question I have an application that I've written that crashes intermittently, but I'm unable to capture an exception at the application layer. I always get an entry in the event log but doesn't give me much info: Faulting application name: BCS-UI.exe, version: 1.0.11.0, time stamp: 0x5c0edcbd Faulting module name: ntdll.dll, version: 10.0.17134.376, time stamp: 0x4358e406 Exception code: 0xc0000374 Fault offset: 0x000d8829 Faulting process id: 0x39b0 Faulting application start time: 0x01d49161c80079a0 Faulting application path: C:\Gogs Local\SMR_Windows_UI\BCS-UI\BCS-UI\bin\Release\BCS-UI.exe

2021-12-23 10:28:35    分类:技术分享    c#   windows   dll   ntdll

Loading/calling ntdll from DllMain

Question One should not use functions other than those in kernel32.dll from DllMain: From MS documentation: Because Kernel32.dll is guaranteed to be loaded in the process address space when the entry-point function is called, calling functions in Kernel32.dll does not result in the DLL being used before its initialization code has been executed. Therefore, the entry-point function can call functions in Kernel32.dll that do not load other DLLs. For example, DllMain can create synchronization objects such as critical sections and mutexes, and use TLS. Unfortunately, there is not a comprehensive

2021-11-19 01:27:05    分类:技术分享    windows   loadlibrary   ntdll   dllmain

Python program crashes because of ntdll.dll and QtGui4.dll

Question I have designed a Python software to collect data from my microcontroller and make live plots: I have twelve matplotlib animations in my GUI (the GUI is designed with PyQt). Each matplotlib animation is connected to one TCP thread, receiving floating point numbers through that link. Upon receiving a floating point number, the matplotlib animation adds a new point to the graph. And huray, we got live plots! My software runs smoothly for a couple of seconds (sometimes up to half a minute). And then disaster strikes. Windows mentions "Python has stopped working". I don't even get an

2021-11-12 14:44:10    分类:技术分享    python   qt   dll   pyqt4   ntdll

Why does JVM randomly crashes on Windows Server 2012 due to NTDLL.DLL?

Question My production server occasionaly crashes the java.exe sevice and therefore myApplication Server Glassfish 4.1. It happens randomly and so far I couldn't find a reason to explain such behavior. Checking Win Server 2012 Event Viewer, it is stated that the Application Error is due to conflict with NTDLL.DLL. Down below I post the dump collected after one of these crashes: Version=1 EventType=APPCRASH EventTime=130971776990222439a ReportType=2 Consent=1 ReportIdentifier=60c166c2-ba16-11e5-8100-22000afdaf63 IntegratorReportIdentifier=60c166c1-ba16-11e5-8100-a22000afdaf63 NsAppName=java.exe

2021-11-10 04:46:38    分类:技术分享    java   crash   jvm   glassfish-4.1   ntdll

Does the NT DLL Loader load DLLs in the order of the import section of the executable?

Question If you have an executable on Windows, you can view its import section with the DUMPBIN utility (included e.g. in Visual Studio). To get a list of all imported DLLs you can run something like this (just an arbitrary example): C:\Programme\GIMP-2.0\bin>dumpbin /IMPORTS gimp-2.4.exe | grep -i \.dll libgimpcolor-2.0-0.dll libgimpmath-2.0-0.dll libgimpmodule-2.0-0.dll libgimpthumb-2.0-0.dll libgimpwidgets-2.0-0.dll libart_lgpl_2-2.dll libfontconfig-1.dll freetype6.dll libgdk-win32-2.0-0.dll libgdk_pixbuf-2.0-0.dll libglib-2.0-0.dll libgobject-2.0-0.dll libgthread-2.0-0.dll libgtk-win32-2.0

2021-10-30 12:32:11    分类:技术分享    windows   dll   loader   ntdll

How to use NtOpenProcess

Question I am trying to use NtOpenProcess() I have not find any example in town. I am getting an error any help is much appreciated. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE prevInstance, PSTR szCmdLine, int showCmd) { HANDLE handle; HWND myWindow =FindWindow(NULL, L"Notepad"); PCLIENT_ID PID; GetWindowThreadProcessId(myWindow, (LPDWORD)&PID); ZwOpenProcess(&handle, PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, NULL,PID); return 0; } The errors are 1>c:\users\asus\source\repos\windowsproject2\windowsproject2\windowsproject2.cpp(14): error C2065: 'PCLIENT_ID': undeclared

2021-10-21 18:58:57    分类:技术分享    winapi   ntdll

Java Randomly Crashing (Possible Culprite: ntdll.dll?)

Question I have a program that I've written in Java and have set up with Windows Task Scheduler to run every 5 minutes. It executes "C:\Program Files\Java\jre7\bin\javaw.exe" and passes along the jar file and all of the command-line parameters. For the most part, this runs perfectly fine, but every now and then, I would come back to my computer and see a popup saying that "Java(TM) Platform SE binary has stopped working". So, at first, I thought it was something to do with my code, and added in a lot of debug statements which were appended to a text file. When it crashed, I checked the text

2021-08-14 08:08:04    分类:技术分享    java   crash   ntdll

Hooking NtCreateFile API from ntdll.dll with EasyHook (c#)

Question This is the first time I try to hook windows API. My goal is to monitor all files that a process is going to create/open/read/write. In order to be the most verbose possible, I decided to hook the ntdll.dll API such as NtCreateFile() and NtOpenFile(). So, in order to acheive this goal, I went on EasyHook, which seems easy and robust. I've essetially followed the FileMon example, changing what I really wanted: the Hooked function. When I try to read information about the file that is going to be opened, I try to read information from the OBJECT_ATTRIBUTES structure, such as the

2021-08-12 12:09:08    分类:技术分享    winapi   hook   kernel32   ntdll   easyhook

Why is ntdll.dll crashing my c++ executable?

Question I am having trouble to get a Visual C++ executable to work, the app crashes , here is what I have seen in the event viewer. Faulting application name: submit.exe, version: 0.0.0.0, time stamp: 0x50a3cce7 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58 Exception code: 0xc0000374 Fault offset: 0x000ce653 Faulting process id: 0x8fc Faulting application start time: 0x01cdc2a3da4f2997 Faulting application path: c:\submit.exe Faulting module path: C:\Windows\SysWOW64\ntdll.dll Report Id: 1813823a-2e97-11e2-8675-000c29229191 The executable compiled in old

2021-06-04 22:45:33    分类:技术分享    visual-c++   process   crash   ntdll