Table of content
The LDR_DATA_TABLE_ENTRY structure is NTDLL’s record of how a DLL is loaded into a process.
This list can be accessed through the process
PEB as it point to the
The structure can be found in the
winternl.h but it's a modified structure as it only contains the
Even if this structure is supposed instable ie can be modified between Windows version, it appears to be quite the same since the original
Windows: they did not replace or modify values but only add additional values.
For example, in
Windows 6.2, they add the
LIST_ENTRY HashLinks parameter that contains the list of the modules names hashed using the
x65599 hashing algorithm that can be accessed through
LdrpHashUnicodeString (that internaly uses
RtlHashUnicodeString whose default hash algorithm is
This may have been implemented to fasten the module lookup performed through
GetModuleHandle (for loaded modules) or
GetProcAddress (for export function).