?
Solved

Is kernel32.dll loaded - using only ntdll.dll functions

Posted on 2007-10-06
6
Medium Priority
?
504 Views
Last Modified: 2008-01-09
For any given process, I need to be able to inject some code and verify whether it has kernel32.dll loaded. The problem is, to verify whether kernel32.dll is loaded, you would normally use GetModuleHandle which itself is exported from kernel32.dll.

It appears that the only DLL that is loaded 100% of the time is ntdll.dll, so I'm now trying to find a way to verify whether kernel32.dll is loaded using only the ntdll.dll exports. I suspect I'll have to read the raw process data structures to obtain this information, although I really don't know where to start getting information on that.

Thoughts? Pointers?
0
Comment
Question by:jimstar
  • 3
  • 3
6 Comments
 
LVL 4

Author Comment

by:jimstar
ID: 20028997
Think I've found the solution - LdrGetDllHandle(...).

Playing around with it now, and if it works I'll delete the Q.
0
 
LVL 86

Expert Comment

by:jkr
ID: 20029050
In short: "kernel32.dll" is always loaded for each process. Nothing to worry about.
0
 
LVL 4

Author Comment

by:jimstar
ID: 20029059
I'm specifically concerned with native processes, such as the session manager (smss.exe) and custom-built native apps. Those are two cases where kernel32.dll isn't loaded.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 86

Accepted Solution

by:
jkr earned 2000 total points
ID: 20029071
BTW, you'd use that API like

UNICODE_STRING ModulePath;
WCHAR                   ModuleNameBuffer[]      = L"Kernel32.dll";
HMODULE hMod = NULL;

    // Setup the string
    RtlInitUnicodeString    (   &ModulePath,
                                ModuleNameBuffer
                            );

    NTSTATUS status = LdrGetDllHandle(0,NULL,&ModulePath,&hmod);
0
 
LVL 86

Expert Comment

by:jkr
ID: 20029074
Ooops, make that


    NTSTATUS status = LdrGetDllHandle(0,NULL,&ModulePath,&hMod);


Typo ;o)
0
 
LVL 4

Author Comment

by:jimstar
ID: 20029179
Thanks for the tip - I don't do enough native coding to know all of those functions off the top of my head, so it definitely helps.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows you how to optimize memory allocations in C++ using placement new. Applicable especially to usecases dealing with creation of large number of objects. A brief on problem: Lets take example problem for simplicity: - I have a G…
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use nested-loops in the C programming language.
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question