打开ntdll.dll和kernel32.dll这两个库函数的描述文件的工具或方法

ntdll.dll和kernel32.dll文件属于Windows的系统文件，在Windows系统中扮演着重要角色。

ntdll.dll（NT Layer DLL）是Windows NT操作系统的重要模块，属于系统级别的文件。用于堆栈释放、进程管理。

kernel32.dll是Windows 9x/Me中非常重要的32位动态链接库文件，属于内核级文件。它控制着系统的内存管理、数据的输入输出操作和中断处理，当Windows启动时，kernel32.dll就驻留在内存中特定的写保护区域，使别的程序无法占用这个内存区域。

ntdll.dll

使用dll文件查看工具ResHacker3.5打开C:/windows/system32/ntdll.dll后，得到如下结果，如图：

其中Message Table代码如下：

1 MESSAGETABLE
{
0,  "STATUS_WAIT_0"
1,  "STATUS_WAIT_1"
2,  "STATUS_WAIT_2"
3,  "STATUS_WAIT_3"
63,       "STATUS_WAIT_63"
128,      "STATUS_ABANDONED_WAIT_0"
191,      "STATUS_ABANDONED_WAIT_63"
192,      "STATUS_USER_APC"
256,      "STATUS_KERNEL_APC"
257,      "STATUS_ALERTED"
258,      "STATUS_TIMEOUT"
259,      "The operation that was requested ispending completion."
260,      "A reparse should be performed by theObject Manager since the name of the file resulted in a symbolic link."
261,      "Returned by enumeration APIs toindicate more information is available to successive calls."
262,      "Indicates not all privileges or groupsreferenced are assigned to the caller.\nThis allows, for example, allprivileges to be disabled without having to know exactly which privileges areassigned."
263,      "Some of the information to betranslated has not been translated."
264,      "An open/create operation completedwhile an oplock break is underway."
265,      "A new volume has been mounted by afile system."
266,      "This success level status indicatesthat the transaction state already exists for the registry sub-tree, but that atransaction commit was previously aborted. The commit has now beencompleted."
267,      "This indicates that a notify changerequest has been completed due to closing the handle which made the notifychange request."
268,      "This indicates that a notify changerequest is being completed and that the information is not being returned inthe caller's buffer.\nThe caller now needs to enumerate the files to find thechanges."
269,      "{No Quotas}\nNo system quota limitsare specifically set for this account."
270,      "{Connect Failure on PrimaryTransport}\nAn attempt was made to connect to the remote server %hs on theprimary transport, but the connection failed.\nThe computer WAS able to connecton a secondary transport."
272,      "Page fault was a transitionfault."
273,      "Page fault was a demand zerofault."
274,      "Page fault was a demand zerofault."
275,      "Page fault was a demand zerofault."
276,      "Page fault was satisfied by readingfrom a secondary storage device."
277,      "Cached page was locked duringoperation."
278,      "Crash dump exists in pagingfile."
279,      "Specified buffer contains allzeros."
280,      "A reparse should be performed by the ObjectManager since the name of the file resulted in a symbolic link."
281,      "The device has succeeded a query-stopand its resource requirements have changed."
288,      "The translator has translated theseresources into the global space and no further translations should beperformed."
289,      "The directory service evaluated groupmemberships locally, as it was unable to contact a global catalog server."
290,      "A process being terminated has nothreads to terminate."
291,      "The specified process is not part of ajob."
292,      "The specified process is part of ajob."
293,      "{Volume Shadow Copy Service}\nThesystem is now ready for hibernation."
294,      "A file system or file system filterdriver has successfully completed an FsFilter operation."
295,      "The specified interrupt vector wasalready connected."
296,      "The specified interrupt vector isstill connected."
297,      "The current process is a clonedprocess."
298,      "The file was locked and all users ofthe file can only read."
299,      "The file was locked and at least oneuser of the file can write."
514,      "The specified ResourceManager made nochanges or updates to the resource under this transaction."
528,      "The specified ring buffer was emptybefore the packet was successfully inserted."
529,      "The specified ring buffer was fullbefore the packet was successfully removed."
530,      "The specified ring buffer has droppedbelow its quota of outstanding transactions."
531,      "The specified ring buffer has, withthe removal of the current packet, now become empty."
532,      "The specified ring buffer was eitherpreviously empty or previously full which implies that the caller should signalthe opposite endpoint."
533,      "The oplock that was associated withthis handle is now associated with a different handle."
}
    因所生成的代码巨长（大概有几千行），在此只做示例性的引用，详情请参见本人CSDN博客: http://blog.csdn.net/rootsongjc/article/details/6767090     愚以为以上代码是对ntdll.dll中所调用函数的功能性解释。但是未见到实际函数，这也只是猜测而已。

使用W32asm对ntdll.dll反汇编后部分结果如下：

 

Object01:.text    RVA: 00001000 Offset: 00000400Size: 000D5200 Flags: 60000020

   Object02: RT       RVA: 000D7000 Offset: 000D5600 Size:00000200 Flags: 60000020

   Object03: .data    RVA: 000D8000 Offset: 000D5800 Size:00006C00 Flags: C0000040

   Object04: .rsrc    RVA: 000E1000 Offset: 000DC400 Size:00056200 Flags: 40000040

   Object05: .reloc   RVA: 00138000 Offset: 00132600 Size:00004E00 Flags: 42000040

 

+++++++++++++++++++   菜 单 信 息    ++++++++++++++++++

 

                 程序没有菜单选项                     

 

+++++++++++++++++     对话框信息     ++++++++++++++++++

 

        There Are No Dialog Resources in ThisApplication

 

+++++++++++++++++++      导入函数      ++++++++++++++++++

Numberof Imported Modules =    0 (decimal)

 

 

+++++++++++++++++++      重要模块资料     +++++++++++++++

 

+++++++++++++++++++      导出函数      ++++++++++++++++++

Numberof Exported Functions = 0000 (decimal)

 

+++++++++++++++++++ASSEMBLY CODE LISTING ++++++++++++++++++

//**********************Start of Code in Object .text **************

ProgramEntry Point Not Available

:77EC100053                      push ebx

:77EC11B38D4DFC                  lea ecx, dwordptr [ebp-04]

:77EC11B651                      push ecx

:77EC11B76A00                    push 00000000

:77EC11B950                      push eax

:77EC11BA57                      push edi

:77EC11BBE83A000000              call 77EC11FA

:77EC11C0837DFC00                cmp dword ptr[ebp-04], 00000000

:77EC11C40F8727A80900            ja 77F5B9F1

 

 

*Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:77EC11B1(C)

|

:77EC11CA837DF800                cmp dword ptr[ebp-08], 00000000

:77EC11CE7415                    je 77EC11E5

:77EC11D08B4510                  mov eax, dwordptr [ebp+10]

:77EC11D385C0                    test eax, eax

:77EC11D50F8539A80900            jne 77F5BA14

 

 

*Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:77F5BA19(U)

|

:77EC11DB33C0                    xor eax, eax

:77EC11DD40                      inc eax

 

 

*Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:77F5B9EC(U)

|

:77EC11DE5F                      pop edi

:77EC11DF5E                      pop esi

:77EC11E05B                      pop ebx

:77EC11E1C9                      leave

:77EC11E2C20C00                  ret 000C

 

*Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:77EC1193(C),:77EC11CE(C), :77F5B9E0(U), :77F5BA00(C), :77F5BA09(C)

|

:77EC11E58B4510                  mov eax, dwordptr [ebp+10]

:77EC11E885C0                    test eax, eax

:77EC11EA0F85F5A70900            jne 77F5B9E5

:77EC11F0E9F5A70900              jmp 77F5B9EA

:77EC11F590                      nop

:77EC11F690                      nop

:77EC11F790                      nop

:77EC11F890                      nop

:77EC11F990                      nop

 

*Referenced by a CALL at Address:

|:77EC11BB  

|

:77EC11FA8BFF                    mov edi, edi

:77EC11FC55                      push ebp

:77EC11FD8BEC                    mov ebp, esp

:77EC11FF83EC0C                  sub esp, 0000000C

:77EC120233C9                    xor ecx, ecx

:77EC120453                      push ebx

:77EC12058B5D08                  mov ebx, dwordptr [ebp+08]

:77EC120856                      push esi

:77EC1209894DF4                  mov dword ptr [ebp-0C],ecx

:77EC120C894DF8                  mov dword ptr[ebp-08], ecx

:77EC120F894DFC                  mov dword ptr[ebp-04], ecx

:77EC12123BD9                    cmp ebx, ecx

:77EC12140F8437010000            je 77EC1351

:77EC121A8B430C                  mov eax, dwordptr [ebx+0C]

:77EC121D3BC1                    cmp eax, ecx

:77EC121F0F842C010000            je 77EC1351

:77EC12258B750C                  mov esi, dwordptr [ebp+0C]

:77EC12283B7048                  cmp esi, dwordptr [eax+48]

:77EC122B0F8320010000            jnb 77EC1351

:77EC12318B4514                  mov eax, dwordptr [ebp+14]

:77EC12343BC1                    cmp eax, ecx

:77EC12367402                    je 77EC123A

:77EC12388908                    mov dword ptr [eax], ecx

 

 

*Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:77EC1236(C)

|

:77EC123A51                      push ecx

:77EC123B8D45FC                  lea eax, dwordptr [ebp-04]

:77EC123E50                      push eax

:77EC123FE881FEFFFF              call 77EC10C5

:77EC124485C0                    test eax, eax

:77EC12460F84DB000000            je 77EC1327

:77EC124CFF75FC                  push [ebp-04]

:77EC124F56                      push esi

:77EC1250E832030000              call 77EC1587

:77EC125585C0                    test eax, eax

:77EC12570F84CA000000            je 77EC1327

:77EC125D57                      push edi

:77EC125EFF75FC                  push [ebp-04]

:77EC12618D450C                  lea eax, dwordptr [ebp+0C]

:77EC126450                      push eax

:77EC1265E8F8000000              call 77EC1362

:77EC126A85C0                    test eax, eax

:77EC126C0F84AD000000            je 77EC131F

汇编语言代码，不甚了解啊。

 

Kernel32.dll中的函数如下：

Microsoft (R) COFF BinaryFile Dumper Version 6.00.8168

Copyright (C) Microsoft Corp1992-1998. All rights reserved.

 

 

Dump of filec:/windows/system32/kernel32.dll

 

File Type: DLL

 

　Section contains thefollowing exports for KERNEL32.dll

 

　　　　　 0 characteristics

　　44AB7FD3 time date stampWed Jul 05 17:01:07 2006

　　　　0.00 version

　　　　　 1 ordinal base

　　　　 949 number offunctions

　　　　 949 number of names

 

　　ordinal hint RVA　　　name

 

　　　　　1　　0 0000A644 ActivateActCtx

　　　　　2　　1 000354ED AddAtomA

　　　　　3　　2 000326C1 AddAtomW

　　　　　4　　3 00070CBF AddConsoleAliasA

　　　　　5　　4 00070C81 AddConsoleAliasW

　　　　　6　　5 00058F26 AddLocalAlternateComputerNameA

　　　　　7　　6 00058E0A AddLocalAlternateComputerNameW

　　　　　8　　7 0002BF01 AddRefActCtx

　　　　　9　　8　　　　　AddVectoredExceptionHandler (forwardedto NTDLL.RtlAddVectoredExceptionHandler)

　　　　 10　　9 00071311 AllocConsole

　　　　 11　　A 0005E712 AllocateUserPhysicalPages

　　　　 12　　B 0003594F AreFileApisANSI

　　　　 13　　C 0002E44A AssignProcessToJobObject

　　　　 14　　D 000714F9 AttachConsole

　　　　 15　　E 00056DDF BackupRead

　　　　 16　　F 00055EEF BackupSeek

　　　　 17　 10 000573FE BackupWrite

　　　　 18　 11 000167D7 BaseCheckAppcompatCache

　　　　 19　 12 0006BE06 BaseCleanupAppcompatCache

　　　　 20　 13 0006BE8A BaseCleanupAppcompatCacheSupport

　　　　 21　 14 0006BCC1 BaseDumpAppcompatCache

　　　　 22　 15 0006BC3F BaseFlushAppcompatCache

　　　　 23　 16 000164CD BaseInitAppcompatCache

　　　　 24　 17 0002B38D BaseInitAppcompatCacheSupport

　　　　 25　 18 00017443 BaseProcessInitPostImport

　　　　 26　 19 0003835A BaseQueryModuleData

　　　　 27　 1A 00015120 BaseUpdateAppcompatCache

　　　　 28　 1B 00019805 BasepCheckWinSaferRestrictions

　　　　 29　 1C 00037A77 Beep

　　　　 30　 1D 0006FC7B BeginUpdateResourceA

　　　　 31　 1E 0006FAD8 BeginUpdateResourceW

　　　　 32　 1F 0002C02C BindIoCompletionCallback

　　　　 33　 20 0006AEED BuildCommDCBA

　　　　 34　 21 0006AEBF BuildCommDCBAndTimeoutsA

　　　　 35　 22 0006AF1F BuildCommDCBAndTimeoutsW

　　　　 36　 23 0006AF79 BuildCommDCBW

　　　　 37　 24 0005FDCE CallNamedPipeA

　　　　 38　 25 0005FB7F CallNamedPipeW

　　　　 39　 26 00060B97 CancelDeviceWakeupRequest

　　　　 40　 27 000300DA CancelIo

　　　　 41　 28 00062DF0 CancelTimerQueueTimer

　　　　 42　 29 0002CC09 CancelWaitableTimer

　　　　 43　 2A 00012723 ChangeTimerQueueTimer

　　　　 44　 2B 00060A51 CheckNameLegalDOS8Dot3A

　　　　 45　 2C 00060811 CheckNameLegalDOS8Dot3W

　　　　 46　 2D 00059B1E CheckRemoteDebuggerPresent

　　　　 47　 2E 00066CF1 ClearCommBreak

　　　　 48　 2F 0006557C ClearCommError

　　　　 49　 30 0001DC7E CloseConsoleHandle

　　　　 50　 31 00009B47 CloseHandle

　　　　 51　 32 0002C86D CloseProfileUserMapping

　　　　 52　 33 0002F609 CmdBatNotification

　　　　 53　 34 00066871 CommConfigDialogA

　　　　 54　 35 0006677D CommConfigDialogW

　　　　 55　 36 00010AD9 CompareFileTime

　　　　 56　 37 0000D077 CompareStringA

　　　　 57　 38 0000A35E CompareStringW

　　　　 58　 39 0003145B ConnectNamedPipe

　　　　 59　 3A 00071FBF ConsoleMenuControl

　　　　 60　 3B 0005A565 ContinueDebugEvent

　　　　 61　 3C 000383CF ConvertDefaultLocale

　　　　 62　 3D 0002FED7 ConvertFiberToThread

　　　　 63　 3E 0002FF16 ConvertThreadToFiber

　　　　 64　 3F 000286EE CopyFileA

　　　　 65　 40 0005E3C4 CopyFileExA

　　　　 66　 41 00027B32 CopyFileExW

　　　　 67　 42 0002F873 CopyFileW

　　　　 68　 43 000593AE CopyLZFile

　　　　 69　 44 0006B7A5 CreateActCtxA

　　　　 70　 45 0001545C CreateActCtxW

　　　　 71　 46 00073068 CreateConsoleScreenBuffer

　　　　 72　 47 000217AC CreateDirectoryA

　　　　 73　 48 0005B23B CreateDirectoryExA

　　　　 74　 49 0005A5F2 CreateDirectoryExW

　　　　 75　 4A 000323D2 CreateDirectoryW

　　　　 76　 4B 000308AD CreateEventA

………………

　Summary

 

　　　　5000 .data

　　　　6000 .reloc

　　　 8E000 .rsrc

　　　 82000 .text

 

=================================================

Microsoft (R) COFF BinaryFile Dumper Version 6.00.8168

Copyright (C) Microsoft Corp1992-1998. All rights reserved.

 

 

Dump of filec:/windows/system32/VBSCRIPT.dll

 

File Type: DLL

 

　Section contains thefollowing exports for VBSCRIPT.dll

 

　　　　　 0 characteristics

　　41107EC3 time date stampWed Aug 04 14:14:27 2004

　　　　0.00 version

　　　　　 1 ordinal base

　　　　　 4 number offunctions

　　　　　 4 number of names

 

　　ordinal hint RVA　　　name

 

　　　　　1　　0 000052B2 DllCanUnloadNow

　　　　　2　　1 0000CCE6 DllGetClassObject

　　　　　3　　2 00026BAD DllRegisterServer

　　　　　4　　3 00026B31 DllUnregisterServer

 

　Summary

 

　　　　6000 .data

　　　　4000 .reloc

　　　　9000 .rsrc

　　 　 53000 .tex

为打印及浏览方便，以上仅部分函数，详细结果请登录本人CSDN博客http://blog.csdn.net/rootsongjc/article/details/6767090查看。