![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/09\/delegatedntdll.png\")
<\/a><\/p>\n… I immediately googled it and found out that redplait<\/a> was the first one to describe this mechanism in detail, and then there was also an article<\/a> on StackOverflow about it; still, since it’s not very well-known I decided to include it in this series anyway.<\/p>\n How to use it?<\/p>\n and you are set. Next time the program is ran it will load the dll.<\/p>\n Note that the DLL must include the exports otherwise it won’t be executed (not even DllMain) – this is because the ntdll loads it not via LdrLoadDll, but via NtCreateSection\/ZwMapViewOfSection\/RtlImageNtHeader and then walks through a list of exports that it tries to resolve using LdrpGetProcedureAddress.<\/p>\n","protected":false},"excerpt":{"rendered":" How many ntdll does it take to change a light bulb? For 32-bit processes on 32-bit systems – 1. For 32-bit processes on 64-bit systems – 2. But… are you sure? Turns out that newer versions of Windows allow one … Continue reading \n
\n
\n
\nCurrentVersion\\Image File Execution Options\\
\n<filename>\\DelegatedNtdll=<filenameonly><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n