天道酬勤,学无止境

ntdll

Why does JVM randomly crashes on Windows Server 2012 due to NTDLL.DLL?

My production server occasionaly crashes the java.exe sevice and therefore myApplication Server Glassfish 4.1. It happens randomly and so far I couldn't find a reason to explain such behavior. Checking Win Server 2012 Event Viewer, it is stated that the Application Error is due to conflict with NTDLL.DLL. Down below I post the dump collected after one of these crashes: Version=1 EventType=APPCRASH EventTime=130971776990222439a ReportType=2 Consent=1 ReportIdentifier=60c166c2-ba16-11e5-8100-22000afdaf63 IntegratorReportIdentifier=60c166c1-ba16-11e5-8100-a22000afdaf63 NsAppName=java.exe Response

2021-11-06 03:41:29    分类:问答    java   crash   jvm   glassfish-4.1   ntdll

NT DLL Loader 是否按照可执行文件的导入部分的顺序加载 DLL?(Does the NT DLL Loader load DLLs in the order of the import section of the executable?)

问题 如果您有 Windows 上的可执行文件,您可以使用 DUMPBIN 实用程序(例如包含在 Visual Studio 中)查看其导入部分。 要获取所有导入的 DLL 的列表,您可以运行这样的操作(只是一个任意示例): C:\Programme\GIMP-2.0\bin>dumpbin /IMPORTS gimp-2.4.exe | grep -i \.dll libgimpcolor-2.0-0.dll libgimpmath-2.0-0.dll libgimpmodule-2.0-0.dll libgimpthumb-2.0-0.dll libgimpwidgets-2.0-0.dll libart_lgpl_2-2.dll libfontconfig-1.dll freetype6.dll libgdk-win32-2.0-0.dll libgdk_pixbuf-2.0-0.dll libglib-2.0-0.dll libgobject-2.0-0.dll libgthread-2.0-0.dll libgtk-win32-2.0-0.dll intl.dll libpango-1.0-0.dll libpangoft2-1.0-0.dll libgimpbase-2.0-0.dll libgimpconfig-2.0-0.dll KERNEL32.dll

2021-10-30 12:32:11    分类:技术分享    windows   dll   loader   ntdll

如何使用 NtOpenProcess(How to use NtOpenProcess)

问题 我正在尝试使用NtOpenProcess()我在城里找不到任何例子。 我收到一个错误非常感谢任何帮助。 int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE prevInstance, PSTR szCmdLine, int showCmd) { HANDLE handle; HWND myWindow =FindWindow(NULL, L"Notepad"); PCLIENT_ID PID; GetWindowThreadProcessId(myWindow, (LPDWORD)&PID); ZwOpenProcess(&handle, PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, NULL,PID); return 0; } 错误是 1>c:\users\asus\source\repos\windowsproject2\windowsproject2\windowsproject2.cpp(14): error C2065: 'PCLIENT_ID': undeclared identifier 1>c:\users\asus\source\repos\windowsproject2\windowsproject2\windowsproject2

2021-10-21 18:58:57    分类:技术分享    winapi   ntdll

Does the NT DLL Loader load DLLs in the order of the import section of the executable?

If you have an executable on Windows, you can view its import section with the DUMPBIN utility (included e.g. in Visual Studio). To get a list of all imported DLLs you can run something like this (just an arbitrary example): C:\Programme\GIMP-2.0\bin>dumpbin /IMPORTS gimp-2.4.exe | grep -i \.dll libgimpcolor-2.0-0.dll libgimpmath-2.0-0.dll libgimpmodule-2.0-0.dll libgimpthumb-2.0-0.dll libgimpwidgets-2.0-0.dll libart_lgpl_2-2.dll libfontconfig-1.dll freetype6.dll libgdk-win32-2.0-0.dll libgdk_pixbuf-2.0-0.dll libglib-2.0-0.dll libgobject-2.0-0.dll libgthread-2.0-0.dll libgtk-win32-2.0-0.dll

2021-09-29 16:40:02    分类:问答    windows   dll   loader   ntdll

Java 随机崩溃(可能的罪魁祸首:ntdll.dll?)(Java Randomly Crashing (Possible Culprite: ntdll.dll?))

问题 我有一个用 Java 编写的程序,并使用 Windows 任务计划程序设置为每 5 分钟运行一次。 它执行“C:\Program Files\Java\jre7\bin\javaw.exe”并传递 jar 文件和所有命令行参数。 在大多数情况下,这运行得非常好,但时不时地,我会回到我的计算机并看到一个弹出窗口,说“Java(TM) Platform SE 二进制文件已停止工作”。 所以,起初,我认为这与我的代码有关,并添加了许多附加到文本文件的调试语句。 当它崩溃时,我检查了文本文件,其中没有列出未完成的运行。 然后我在我的主要方法中添加了一个打印语句: public static void main (String[] args) { System.out.println ("Main Method Called"); new Runner (args); } 然后我不断地从命令行运行 Java 程序,直到它崩溃,我注意到一些有趣的事情。 在崩溃时,它从未打印过“调用的主要方法”。 现在,我觉得这很有趣,因为这告诉我崩溃的不是我的 Java 程序,而是 Java 本身。 然后我继续向我的命令行添加详细的打印语句: java -verbose:class -verbose:gc -verbose:jni -jar ... 从那里,我继续这个过程,直到程序再次失败。 当它失败时

2021-08-14 08:08:04    分类:技术分享    java   crash   ntdll

使用 EasyHook (c#) 从 ntdll.dll 挂钩 NtCreateFile API(Hooking NtCreateFile API from ntdll.dll with EasyHook (c#))

问题 这是我第一次尝试挂钩 Windows API。 我的目标是监视进程将要创建/打开/读取/写入的所有文件。 为了尽可能详细,我决定挂钩 ntdll.dll API,例如 NtCreateFile() 和 NtOpenFile()。 所以,为了实现这个目标,我使用了 EasyHook,它看起来简单而健壮。 我基本上遵循了 FileMon 示例,更改了我真正想要的内容:Hooked 函数。 当我尝试读取有关将要打开的文件的信息时,我尝试从 OBJECT_ATTRIBUTES 结构中读取信息,例如 ObjectName。 这些是整数指针,所以我希望使用函数 Marshal.PtrToStringAuto(attributes.objectName) 来获取字符串值。 然而,结果是我只能有坏字符串,没有任何意义。 此外,文件访问似乎不起作用。 我猜这段代码有问题,可能是在 DllImport 签名中。 建议我必须用 IntPtr 替换 SafeHandle,因为 EasyHook 抱怨封送它们。 有人能帮我吗? 这是我注入的 DLL 的具体代码: 这是运行方法代码 public void Run(RemoteHooking.IContext InContext, String inChannelName) { // First of all, install all the hooks

2021-08-12 12:09:08    分类:技术分享    winapi   hook   kernel32   ntdll   easyhook

Java Randomly Crashing (Possible Culprite: ntdll.dll?)

I have a program that I've written in Java and have set up with Windows Task Scheduler to run every 5 minutes. It executes "C:\Program Files\Java\jre7\bin\javaw.exe" and passes along the jar file and all of the command-line parameters. For the most part, this runs perfectly fine, but every now and then, I would come back to my computer and see a popup saying that "Java(TM) Platform SE binary has stopped working". So, at first, I thought it was something to do with my code, and added in a lot of debug statements which were appended to a text file. When it crashed, I checked the text file and

2021-07-30 23:42:11    分类:问答    java   crash   ntdll

Are Win32 applications automatically linked against ntdll.dll?

I've just found out by accident that doing this GetModuleHandle("ntdll.dll") works without a previous call to LoadLibrary("ntdll.dll"). This means ntdll.dll is already loaded in my process. Is it safe to assume that ntdll.dll will always be loaded on Win32 applications, so that a call to LoadLibrary is not necessary?

2021-07-30 11:33:18    分类:问答    windows   winapi   dll   loadlibrary   ntdll

Hooking NtCreateFile API from ntdll.dll with EasyHook (c#)

This is the first time I try to hook windows API. My goal is to monitor all files that a process is going to create/open/read/write. In order to be the most verbose possible, I decided to hook the ntdll.dll API such as NtCreateFile() and NtOpenFile(). So, in order to acheive this goal, I went on EasyHook, which seems easy and robust. I've essetially followed the FileMon example, changing what I really wanted: the Hooked function. When I try to read information about the file that is going to be opened, I try to read information from the OBJECT_ATTRIBUTES structure, such as the ObjectName

2021-07-02 01:16:16    分类:问答    winapi   hook   kernel32   ntdll   easyhook

为什么 ntdll.dll 会导致我的 C++ 可执行文件崩溃?(Why is ntdll.dll crashing my c++ executable?)

问题 我无法让 Visual C++ 可执行文件工作,应用程序崩溃,这是我在事件查看器中看到的。 Faulting application name: submit.exe, version: 0.0.0.0, time stamp: 0x50a3cce7 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58 Exception code: 0xc0000374 Fault offset: 0x000ce653 Faulting process id: 0x8fc Faulting application start time: 0x01cdc2a3da4f2997 Faulting application path: c:\submit.exe Faulting module path: C:\Windows\SysWOW64\ntdll.dll Report Id: 1813823a-2e97-11e2-8675-000c29229191 在旧版本的 Visual Studio 中编译的可执行文件可以工作,但我在使用 2008 或 2010 等较新的 VS 编译的可执行文件时出现错误。请指教 回答1 解决此类问题可能是一个真正的挑战……尤其是当您不熟悉代码库时。

2021-06-04 22:45:33    分类:技术分享    visual-c++   process   crash   ntdll