Comments on: A catalog of NTDLL kernel mode to user mode callbacks, part 6: LdrInitializeThunk

By: istanbul

istanbul — Fri, 14 Mar 2008 21:50:27 +0000

what about part 7 :)

By: Ivanlef0u’s Blog » CreateProcess

Ivanlef0u’s Blog » CreateProcess — Sat, 19 Jan 2008 00:31:27 +0000

[...] A catalog of NTDLL kernel mode to user mode callbacks, part 6: LdrInitializeThunk http://www.nynaeve.net/?p=205 [...]

By: Skywing

Skywing — Thu, 29 Nov 2007 01:42:51 +0000

Yep, that’s even better; thanks!

I used to do this in an annoyingly convoluted way before I knew the debugger had support for it – create a process suspended, attach noninvasively with debugger, write a breakpoint opcode over the manually resolved address of LdrInitializeThunk, then re-attach invasively, restore the original opcode manually, and go.

By: Pavel Lebedinsky

Pavel Lebedinsky — Thu, 29 Nov 2007 00:42:07 +0000

Another way to debug process initialization is to break on ntdll load:

C:\Debuggers>cdb -xe ld:ntdll.dll notepad
0:000> bp ntdll!LdrInitializeThunk
0:000> g
Breakpoint 0 hit

This is slightly more convenient than -xe cpr because ntdll symbols are immediately available.