Читаем Windows® Internals, Sixth Edition, Part 1 полностью

Note how the search order matches that described. First, the loader checks the .LOCAL subdirectory, then the directory where the executable resides, then C:\Windows\System32 directory (because this is a 32-bit executable, that redirects to C:\Windows\SysWOW64), then the 16-bit Windows directory, then C:\Windows, and finally, the current directory at the time the executable was launched. The Load Image event confirms that the loader successfully resolved the import.

Loaded Module Database

The loader maintains a list of all modules (DLLs as well as the primary executable) that have been loaded by a process. This information is stored in a per-process structure called the process environment block, or PEB (see Chapter 5 for a full description of the PEB)—namely, in a substructure identified by Ldr and called PEB_LDR_DATA. In the structure, the loader maintains three doubly-linked lists, all containing the same information but ordered differently (either by load order, memory location, or initialization order). These lists contain structures called loader data table entries (LDR_DATA_TABLE_ENTRY) that store information about each module. Table 3-24 lists the various pieces of information the loader maintains in an entry.

Table 3-24. Fields in a Loader Data Table Entry

Field

Meaning

BaseDllName

Name of the module itself, without the full path

ContextInformation

Used by SwitchBranch (described later) to store the current Windows context GUID associated with this module

DllBase

Holds the base address at which the module was loaded

EntryPoint

Contains the initial routine of the module (such as DllMain)

EntryPointActivationContext

Contains the SxS/Fusion activation context when calling initializers

Flags

Loader state flags for this module (See Table 3-25 for a description of the flags.)

ForwarderLinks

Linked list of modules that were loaded as a result of export table forwarders from the module

FullDllName

Fully qualified path name of the module

HashLinks

Linked list used during process startup and shutdown for quicker lookups

List Entry Links

Links this entry into each of the three ordered lists part of the loader database

LoadCount

Reference count for the module (that is, how many times it has been loaded)

LoadTime

Stores the system time value when this module was being loaded

OriginalBase

Stores the original base address (set by the linker) of this module, enabling faster processing of relocated import entries

PatchInformation

Information that’s relevant during a hotpatch operation on this module

ServiceTagLinks

Linked list of services (see Chapter 4 for more information) referencing this module

SizeOfImage

Size of the module in memory

StaticLinks

Linked list of modules loaded as a result of static references from this one

TimeDateStamp

Time stamp written by the linker when the module was linked, which the loader obtains from the module’s image PE header

TlsIndex

Thread local storage slot associated with this module

One way to look at a process’ loader database is to use WinDbg and its formatted output of the PEB. The next experiment shows you how to do this and how to look at the LDR_DATA_TABLE_ENTRY structures on your own.

EXPERIMENT: Dumping the Loaded Modules Database

Before starting the experiment, perform the same steps as in the previous two experiments to launch Notepad.exe with WinDbg as the debugger. When you get to the first prompt (where you’ve been instructed to type g until now), follow these instructions:

You can look at the PEB of the current process with the !peb command. For now, you’re interested only in the Ldr data that will be displayed. (See Chapter 5 for details about other information stored in the PEB.)0: kd> !peb PEB at 000007fffffda000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: No ImageBaseAddress: 00000000ff590000 Ldr 0000000076e72640 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 0000000000212880 . 0000000004731c20 Ldr.InLoadOrderModuleList: 0000000000212770 . 0000000004731c00 Ldr.InMemoryOrderModuleList: 0000000000212780 . 0000000004731c10 Base TimeStamp Module ff590000 4ce7a144 Nov 20 11:21:56 2010 C:\Windows\Explorer.EXE 76d40000 4ce7c8f9 Nov 20 14:11:21 2010 C:\Windows\SYSTEM32\ntdll.dll 76870000 4ce7c78b Nov 20 14:05:15 2010 C:\Windows\system32\kernel32.dll 7fefd2d0000 4ce7c78c Nov 20 14:05:16 2010 C:\Windows\system32\KERNELBASE.dll 7fefee20000 4a5bde6b Jul 14 02:24:59 2009 C:\Windows\system32\ADVAPI32.dll