Table of content


The LDR_DATA_TABLE_ENTRY structure is NTDLL’s record of how a DLL is loaded into a process.

This list can be accessed through the process PEB as it point to the InLoadOrderModuleList, InMemoryOrderModuleList and InInitializationOrderModuleList.

The structure can be found in the winternl.h but it's a modified structure as it only contains the InMemoryOrderLinks, DllBase, FullDllName, CheckSum and TimeDateStamp entries.

Even if this structure is supposed instable ie can be modified between Windows version, it appears to be quite the same since the original Windows: they did not replace or modify values but only add additional values.

For example, in Windows 6.2, they add the LIST_ENTRY HashLinks parameter that contains the list of the modules names hashed using the x65599 hashing algorithm that can be accessed through LdrpHashUnicodeString (that internaly uses RtlHashUnicodeString whose default hash algorithm is x65599).

This may have been implemented to fasten the module lookup performed through GetModuleHandle (for loaded modules) or GetProcAddress (for export function).


results matching ""

    No results matching ""

    results matching ""

      No results matching ""