ntdll.dll和kernel32.dll文件属于Windows的系统文件,在Windows系统中扮演着重要角色。
ntdll.dll(NT Layer DLL)是Windows NT操作系统的重要模块,属于系统级别的文件。用于堆栈释放、进程管理。
kernel32.dll是Windows 9x/Me中非常重要的32位动态链接库文件,属于内核级文件。它控制着系统的内存管理、数据的输入输出操作和中断处理,当Windows启动时,kernel32.dll就驻留在内存中特定的写保护区域,使别的程序无法占用这个内存区域。
ntdll.dll
使用dll文件查看工具ResHacker3.5打开C:/windows/system32/ntdll.dll后,得到如下结果,如图:
其中Message Table代码如下:
1 MESSAGETABLE
{
0, "STATUS_WAIT_0"
1, "STATUS_WAIT_1"
2, "STATUS_WAIT_2"
3, "STATUS_WAIT_3"
63, "STATUS_WAIT_63"
128, "STATUS_ABANDONED_WAIT_0"
191, "STATUS_ABANDONED_WAIT_63"
192, "STATUS_USER_APC"
256, "STATUS_KERNEL_APC"
257, "STATUS_ALERTED"
258, "STATUS_TIMEOUT"
259, "The operation that was requested ispending completion."
260, "A reparse should be performed by theObject Manager since the name of the file resulted in a symbolic link."
261, "Returned by enumeration APIs toindicate more information is available to successive calls."
262, "Indicates not all privileges or groupsreferenced are assigned to the caller.\nThis allows, for example, allprivileges to be disabled without having to know exactly which privileges areassigned."
263, "Some of the information to betranslated has not been translated."
264, "An open/create operation completedwhile an oplock break is underway."
265, "A new volume has been mounted by afile system."
266, "This success level status indicatesthat the transaction state already exists for the registry sub-tree, but that atransaction commit was previously aborted. The commit has now beencompleted."
267, "This indicates that a notify changerequest has been completed due to closing the handle which made the notifychange request."
268, "This indicates that a notify changerequest is being completed and that the information is not being returned inthe caller's buffer.\nThe caller now needs to enumerate the files to find thechanges."
269, "{No Quotas}\nNo system quota limitsare specifically set for this account."
270, "{Connect Failure on PrimaryTransport}\nAn attempt was made to connect to the remote server %hs on theprimary transport, but the connection failed.\nThe computer WAS able to connecton a secondary transport."
272, "Page fault was a transitionfault."
273, "Page fault was a demand zerofault."
274, "Page fault was a demand zerofault."
275, "Page fault was a demand zerofault."
276, "Page fault was satisfied by readingfrom a secondary storage device."
277, "Cached page was locked duringoperation."
278, "Crash dump exists in pagingfile."
279, "Specified buffer contains allzeros."
280, "A reparse should be performed by the ObjectManager since the name of the file resulted in a symbolic link."
281, "The device has succeeded a query-stopand its resource requirements have changed."
288, "The translator has translated theseresources into the global space and no further translations should beperformed."
289, "The directory service evaluated groupmemberships locally, as it was unable to contact a global catalog server."
290, "A process being terminated has nothreads to terminate."
291, "The specified process is not part of ajob."
292, "The specified process is part of ajob."
293, "{Volume Shadow Copy Service}\nThesystem is now ready for hibernation."
294, "A file system or file system filterdriver has successfully completed an FsFilter operation."
295, "The specified interrupt vector wasalready connected."
296, "The specified interrupt vector isstill connected."
297, "The current process is a clonedprocess."
298, "The file was locked and all users ofthe file can only read."
299, "The file was locked and at least oneuser of the file can write."
514, "The specified ResourceManager made nochanges or updates to the resource under this transaction."
528, "The specified ring buffer was emptybefore the packet was successfully inserted."
529, "The specified ring buffer was fullbefore the packet was successfully removed."
530, "The specified ring buffer has droppedbelow its quota of outstanding transactions."
531, "The specified ring buffer has, withthe removal of the current packet, now become empty."
532, "The specified ring buffer was eitherpreviously empty or previously full which implies that the caller should signalthe opposite endpoint."
533, "The oplock that was associated withthis handle is now associated with a different handle."
}
因所生成的代码巨长(大概有几千行),在此只做示例性的引用,详情请参见本人CSDN博客: http://blog.csdn.net/rootsongjc/article/details/6767090
愚以为以上代码是对ntdll.dll中所调用函数的功能性解释。但是未见到实际函数,这也只是猜测而已。
使用W32asm对ntdll.dll反汇编后部分结果如下:
Object01:.text RVA: 00001000 Offset: 00000400Size: 000D5200 Flags: 60000020
Object02: RT RVA: 000D7000 Offset: 000D5600 Size:00000200 Flags: 60000020
Object03: .data RVA: 000D8000 Offset: 000D5800 Size:00006C00 Flags: C0000040
Object04: .rsrc RVA: 000E1000 Offset: 000DC400 Size:00056200 Flags: 40000040
Object05: .reloc RVA: 00138000 Offset: 00132600 Size:00004E00 Flags: 42000040
+++++++++++++++++++ 菜 单 信 息 ++++++++++++++++++
程序没有菜单选项
+++++++++++++++++ 对话框信息 ++++++++++++++++++
There Are No Dialog Resources in ThisApplication
+++++++++++++++++++ 导入函数 ++++++++++++++++++
Numberof Imported Modules = 0 (decimal)
+++++++++++++++++++ 重要模块资料 +++++++++++++++
+++++++++++++++++++ 导出函数 ++++++++++++++++++
Numberof Exported Functions = 0000 (decimal)
+++++++++++++++++++ASSEMBLY CODE LISTING ++++++++++++++++++
//**********************Start of Code in Object .text **************
ProgramEntry Point Not Available
:77EC100053 push ebx
:77EC11B38D4DFC lea ecx, dwordptr [ebp-04]
:77EC11B651 push ecx
:77EC11B76A00 push 00000000
:77EC11B950 push eax
:77EC11BA57 push edi
:77EC11BBE83A000000 call 77EC11FA
:77EC11C0837DFC00 cmp dword ptr[ebp-04], 00000000
:77EC11C40F8727A80900 ja 77F5B9F1
*Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC11B1(C)
|
:77EC11CA837DF800 cmp dword ptr[ebp-08], 00000000
:77EC11CE7415 je 77EC11E5
:77EC11D08B4510 mov eax, dwordptr [ebp+10]
:77EC11D385C0 test eax, eax
:77EC11D50F8539A80900 jne 77F5BA14
*Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F5BA19(U)
|
:77EC11DB33C0 xor eax, eax
:77EC11DD40 inc eax
*Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77F5B9EC(U)
|
:77EC11DE5F pop edi
:77EC11DF5E pop esi
:77EC11E05B pop ebx
:77EC11E1C9 leave
:77EC11E2C20C00 ret 000C
*Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:77EC1193(C),:77EC11CE(C), :77F5B9E0(U), :77F5BA00(C), :77F5BA09(C)
|
:77EC11E58B4510 mov eax, dwordptr [ebp+10]
:77EC11E885C0 test eax, eax
:77EC11EA0F85F5A70900 jne 77F5B9E5
:77EC11F0E9F5A70900 jmp 77F5B9EA
:77EC11F590 nop
:77EC11F690 nop
:77EC11F790 nop
:77EC11F890 nop
:77EC11F990 nop
*Referenced by a CALL at Address:
|:77EC11BB
|
:77EC11FA8BFF mov edi, edi
:77EC11FC55 push ebp
:77EC11FD8BEC mov ebp, esp
:77EC11FF83EC0C sub esp, 0000000C
:77EC120233C9 xor ecx, ecx
:77EC120453 push ebx
:77EC12058B5D08 mov ebx, dwordptr [ebp+08]
:77EC120856 push esi
:77EC1209894DF4 mov dword ptr [ebp-0C],ecx
:77EC120C894DF8 mov dword ptr[ebp-08], ecx
:77EC120F894DFC mov dword ptr[ebp-04], ecx
:77EC12123BD9 cmp ebx, ecx
:77EC12140F8437010000 je 77EC1351
:77EC121A8B430C mov eax, dwordptr [ebx+0C]
:77EC121D3BC1 cmp eax, ecx
:77EC121F0F842C010000 je 77EC1351
:77EC12258B750C mov esi, dwordptr [ebp+0C]
:77EC12283B7048 cmp esi, dwordptr [eax+48]
:77EC122B0F8320010000 jnb 77EC1351
:77EC12318B4514 mov eax, dwordptr [ebp+14]
:77EC12343BC1 cmp eax, ecx
:77EC12367402 je 77EC123A
:77EC12388908 mov dword ptr [eax], ecx
*Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:77EC1236(C)
|
:77EC123A51 push ecx
:77EC123B8D45FC lea eax, dwordptr [ebp-04]
:77EC123E50 push eax
:77EC123FE881FEFFFF call 77EC10C5
:77EC124485C0 test eax, eax
:77EC12460F84DB000000 je 77EC1327
:77EC124CFF75FC push [ebp-04]
:77EC124F56 push esi
:77EC1250E832030000 call 77EC1587
:77EC125585C0 test eax, eax
:77EC12570F84CA000000 je 77EC1327
:77EC125D57 push edi
:77EC125EFF75FC push [ebp-04]
:77EC12618D450C lea eax, dwordptr [ebp+0C]
:77EC126450 push eax
:77EC1265E8F8000000 call 77EC1362
:77EC126A85C0 test eax, eax
:77EC126C0F84AD000000 je 77EC131F
汇编语言代码,不甚了解啊。
Kernel32.dll中的函数如下:
Microsoft (R) COFF BinaryFile Dumper Version 6.00.8168
Copyright (C) Microsoft Corp1992-1998. All rights reserved.
Dump of filec:/windows/system32/kernel32.dll
File Type: DLL
Section contains thefollowing exports for KERNEL32.dll
0 characteristics
44AB7FD3 time date stampWed Jul 05 17:01:07 2006
0.00 version
1 ordinal base
949 number offunctions
949 number of names
ordinal hint RVA name
1 0 0000A644 ActivateActCtx
2 1 000354ED AddAtomA
3 2 000326C1 AddAtomW
4 3 00070CBF AddConsoleAliasA
5 4 00070C81 AddConsoleAliasW
6 5 00058F26 AddLocalAlternateComputerNameA
7 6 00058E0A AddLocalAlternateComputerNameW
8 7 0002BF01 AddRefActCtx
9 8 AddVectoredExceptionHandler (forwardedto NTDLL.RtlAddVectoredExceptionHandler)
10 9 00071311 AllocConsole
11 A 0005E712 AllocateUserPhysicalPages
12 B 0003594F AreFileApisANSI
13 C 0002E44A AssignProcessToJobObject
14 D 000714F9 AttachConsole
15 E 00056DDF BackupRead
16 F 00055EEF BackupSeek
17 10 000573FE BackupWrite
18 11 000167D7 BaseCheckAppcompatCache
19 12 0006BE06 BaseCleanupAppcompatCache
20 13 0006BE8A BaseCleanupAppcompatCacheSupport
21 14 0006BCC1 BaseDumpAppcompatCache
22 15 0006BC3F BaseFlushAppcompatCache
23 16 000164CD BaseInitAppcompatCache
24 17 0002B38D BaseInitAppcompatCacheSupport
25 18 00017443 BaseProcessInitPostImport
26 19 0003835A BaseQueryModuleData
27 1A 00015120 BaseUpdateAppcompatCache
28 1B 00019805 BasepCheckWinSaferRestrictions
29 1C 00037A77 Beep
30 1D 0006FC7B BeginUpdateResourceA
31 1E 0006FAD8 BeginUpdateResourceW
32 1F 0002C02C BindIoCompletionCallback
33 20 0006AEED BuildCommDCBA
34 21 0006AEBF BuildCommDCBAndTimeoutsA
35 22 0006AF1F BuildCommDCBAndTimeoutsW
36 23 0006AF79 BuildCommDCBW
37 24 0005FDCE CallNamedPipeA
38 25 0005FB7F CallNamedPipeW
39 26 00060B97 CancelDeviceWakeupRequest
40 27 000300DA CancelIo
41 28 00062DF0 CancelTimerQueueTimer
42 29 0002CC09 CancelWaitableTimer
43 2A 00012723 ChangeTimerQueueTimer
44 2B 00060A51 CheckNameLegalDOS8Dot3A
45 2C 00060811 CheckNameLegalDOS8Dot3W
46 2D 00059B1E CheckRemoteDebuggerPresent
47 2E 00066CF1 ClearCommBreak
48 2F 0006557C ClearCommError
49 30 0001DC7E CloseConsoleHandle
50 31 00009B47 CloseHandle
51 32 0002C86D CloseProfileUserMapping
52 33 0002F609 CmdBatNotification
53 34 00066871 CommConfigDialogA
54 35 0006677D CommConfigDialogW
55 36 00010AD9 CompareFileTime
56 37 0000D077 CompareStringA
57 38 0000A35E CompareStringW
58 39 0003145B ConnectNamedPipe
59 3A 00071FBF ConsoleMenuControl
60 3B 0005A565 ContinueDebugEvent
61 3C 000383CF ConvertDefaultLocale
62 3D 0002FED7 ConvertFiberToThread
63 3E 0002FF16 ConvertThreadToFiber
64 3F 000286EE CopyFileA
65 40 0005E3C4 CopyFileExA
66 41 00027B32 CopyFileExW
67 42 0002F873 CopyFileW
68 43 000593AE CopyLZFile
69 44 0006B7A5 CreateActCtxA
70 45 0001545C CreateActCtxW
71 46 00073068 CreateConsoleScreenBuffer
72 47 000217AC CreateDirectoryA
73 48 0005B23B CreateDirectoryExA
74 49 0005A5F2 CreateDirectoryExW
75 4A 000323D2 CreateDirectoryW
76 4B 000308AD CreateEventA
………………
Summary
5000 .data
6000 .reloc
8E000 .rsrc
82000 .text
=================================================
Microsoft (R) COFF BinaryFile Dumper Version 6.00.8168
Copyright (C) Microsoft Corp1992-1998. All rights reserved.
Dump of filec:/windows/system32/VBSCRIPT.dll
File Type: DLL
Section contains thefollowing exports for VBSCRIPT.dll
0 characteristics
41107EC3 time date stampWed Aug 04 14:14:27 2004
0.00 version
1 ordinal base
4 number offunctions
4 number of names
ordinal hint RVA name
1 0 000052B2 DllCanUnloadNow
2 1 0000CCE6 DllGetClassObject
3 2 00026BAD DllRegisterServer
4 3 00026B31 DllUnregisterServer
Summary
6000 .data
4000 .reloc
9000 .rsrc
53000 .tex
为打印及浏览方便,以上仅部分函数,详细结果请登录本人CSDN博客http://blog.csdn.net/rootsongjc/article/details/6767090查看。