Process Hacker Discussion Forum

 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

LdrSystemDllInitBlock definition

25 Aug 2021 04:03

LdrSystemDllInitBlock is defined in ntldr.h as a function that returns a PPS_SYSTEM_DLL_INIT_BLOCK but, LdrSystemDllInitBlock is not a function, it's just an exported ntdll variable and its value does not seem to point to a PS_SYSTEM_DLL_INIT_BLOCK.

Any comments are welcome.

PS: the variable exists in Win7 and above. PH has it as requiring THRESHOLD and above.
 
User avatar
dmex
Admin
Posts: 1695
Joined: 17 Jan 2011 05:43

Re: LdrSystemDllInitBlock definition

25 Aug 2021 10:41

440bx wrote: 25 Aug 2021 04:03
its value does not seem to point to a PS_SYSTEM_DLL_INIT_BLOCK.
We're using this in production. The type is correct and you can assert the addresses;

assert(LdrSystemDllInitBlock.Size == sizeof(PS_SYSTEM_DLL_INIT_BLOCK));
LdrSystemDllInitBlock.CfgBitMap == current process -> memory tab -> CFG Bitmap base address
440bx wrote: 25 Aug 2021 04:03
PS: the variable exists in Win7 and above. PH has it as requiring THRESHOLD and above.
From memory it was backported in some patches. It's not useful for Win7 and either way the type changed and there wasn't any point in backwards compat for this structure.
 
440bx
Member
Posts: 65
Joined: 02 Jul 2021 23:33

Re: LdrSystemDllInitBlock definition

25 Aug 2021 19:24

dmex wrote: 25 Aug 2021 10:41
We're using this in production. The type is correct and you can assert the addresses;
Honestly, I don't know what to say. I've carefully inspected the ntdll disassembly for Win7 and Win10 and, I don't see a function there, just a variable in a writeable data segment (value 50h or 80h depending on bitness). Also, what follows it are a series of pointers to ntdll functions that are completely unrelated to the definition shown of PS_SYSTEM_DLL_INIT_BLOCK.

Just in case, I'll revisit it again, some time.