Skip to main content
Reverse Engineering

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

4
  • In addition to what Peter said, sometimes programs need to use functionality that is exposed by ntdll but not exposed by higher level libraries. For example, if a user-mode application wants to call RtlDecompressBuffer(), it needs to call the function in ntdll directly; there's no higher-level version exposed by Windows. Commented Apr 20, 2014 at 14:02
  • @Jason, would that result in ollydbg reporting ntdll.addr instead of ntdll.RtlDecompressBuffer? I would think that if the fxn was deliberately exposed by ntdll its public and I should be seeing the fxn name--unless this name can be changed by the loader at runtime? Commented Apr 20, 2014 at 22:10
  • @Jason, Yikes... nm. I think I see what's going on, but why on earth make functions in ntdll private, if its possible to load them anyway with GetProcAddress? Seems counter-intuitive to hiding implementations. Commented Apr 20, 2014 at 22:30
  • @avgvstvs, they're not private if they're exported. They are simply platform-specific. Before everything was based on Windows NT, Windows 95 (for example) could not do everything that NT could do, so functionality was not exposed at a lower level (i.e. in kernel32.dll). Commented May 13, 2014 at 15:51