ntdll

问题 I was looking at the NtDll export table on my Windows 10 computer, and I found that it exports standard C runtime functions, like memcpy , sprintf , strlen , etc. Does that mean that I can call them dynamically at runtime through LoadLibrary and GetProcAddress ? Is this guaranteed to be the case for every Windows version? If so, it is possible to drop the C runtime library altogether (by just using the CRT functions from NtDll), therefore making my program smaller? 回答1: There is absolutely no

问题 I have an application that I've written that crashes intermittently, but I'm unable to capture an exception at the application layer. I always get an entry in the event log but doesn't give me much info: Faulting application name: BCS-UI.exe, version: 1.0.11.0, time stamp: 0x5c0edcbd Faulting module name: ntdll.dll, version: 10.0.17134.376, time stamp: 0x4358e406 Exception code: 0xc0000374 Fault offset: 0x000d8829 Faulting process id: 0x39b0 Faulting application start time: 0x01d49161c80079a0

问题 I have an application that I've written that crashes intermittently, but I'm unable to capture an exception at the application layer. I always get an entry in the event log but doesn't give me much info: Faulting application name: BCS-UI.exe, version: 1.0.11.0, time stamp: 0x5c0edcbd Faulting module name: ntdll.dll, version: 10.0.17134.376, time stamp: 0x4358e406 Exception code: 0xc0000374 Fault offset: 0x000d8829 Faulting process id: 0x39b0 Faulting application start time: 0x01d49161c80079a0

问题 I've just found out by accident that doing this GetModuleHandle("ntdll.dll") works without a previous call to LoadLibrary("ntdll.dll") . This means ntdll.dll is already loaded in my process. Is it safe to assume that ntdll.dll will always be loaded on Win32 applications, so that a call to LoadLibrary is not necessary? 回答1: From MSDN on LoadLibrary() (emphasis mine): The system maintains a per-process reference count on all loaded modules. Calling LoadLibrary increments the reference count.

问题 I am having trouble to get a Visual C++ executable to work, the app crashes , here is what I have seen in the event viewer. Faulting application name: submit.exe, version: 0.0.0.0, time stamp: 0x50a3cce7 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58 Exception code: 0xc0000374 Fault offset: 0x000ce653 Faulting process id: 0x8fc Faulting application start time: 0x01cdc2a3da4f2997 Faulting application path: c:\submit.exe Faulting module path: C:\Windows

问题 I have a program that I've written in Java and have set up with Windows Task Scheduler to run every 5 minutes. It executes "C:\Program Files\Java\jre7\bin\javaw.exe" and passes along the jar file and all of the command-line parameters. For the most part, this runs perfectly fine, but every now and then, I would come back to my computer and see a popup saying that "Java(TM) Platform SE binary has stopped working". So, at first, I thought it was something to do with my code, and added in a lot

问题 I have designed a Python software to collect data from my microcontroller and make live plots: I have twelve matplotlib animations in my GUI (the GUI is designed with PyQt). Each matplotlib animation is connected to one TCP thread, receiving floating point numbers through that link. Upon receiving a floating point number, the matplotlib animation adds a new point to the graph. And huray, we got live plots! My software runs smoothly for a couple of seconds (sometimes up to half a minute). And

问题 My production server occasionaly crashes the java.exe sevice and therefore myApplication Server Glassfish 4.1. It happens randomly and so far I couldn't find a reason to explain such behavior. Checking Win Server 2012 Event Viewer, it is stated that the Application Error is due to conflict with NTDLL.DLL. Down below I post the dump collected after one of these crashes: Version=1 EventType=APPCRASH EventTime=130971776990222439a ReportType=2 Consent=1 ReportIdentifier=60c166c2-ba16-11e5-8100

问题 One should not use functions other than those in kernel32.dll from DllMain : From MS documentation: Because Kernel32.dll is guaranteed to be loaded in the process address space when the entry-point function is called, calling functions in Kernel32.dll does not result in the DLL being used before its initialization code has been executed. Therefore, the entry-point function can call functions in Kernel32.dll that do not load other DLLs. For example, DllMain can create synchronization objects

问题 If you have an executable on Windows, you can view its import section with the DUMPBIN utility (included e.g. in Visual Studio). To get a list of all imported DLLs you can run something like this (just an arbitrary example): C:\Programme\GIMP-2.0\bin>dumpbin /IMPORTS gimp-2.4.exe | grep -i \.dll libgimpcolor-2.0-0.dll libgimpmath-2.0-0.dll libgimpmodule-2.0-0.dll libgimpthumb-2.0-0.dll libgimpwidgets-2.0-0.dll libart_lgpl_2-2.dll libfontconfig-1.dll freetype6.dll libgdk-win32-2.0-0.dll libgdk