IMAGE_LOAD_CONFIG_DIRECTORY32 结构的 Reserved1 字段是什么？

Question

查看 kernelbase.dll 的 IMAGE_LOAD_CONFIG_DIRECTORY32 结构，我看到以下内容：

0:000> dt IMAGE_LOAD_CONFIG_DIRECTORY32 761dc810  
DebugMe!IMAGE_LOAD_CONFIG_DIRECTORY32
   +0x000 Size             : 0x80
   +0x004 TimeDateStamp    : 0
   +0x008 MajorVersion     : 0
   +0x00a MinorVersion     : 0
   +0x00c GlobalFlagsClear : 0
   +0x010 GlobalFlagsSet   : 0
   +0x014 CriticalSectionDefaultTimeout : 0
   +0x018 DeCommitFreeBlockThreshold : 0
   +0x01c DeCommitTotalFreeThreshold : 0
   +0x020 LockPrefixTable  : 0
   +0x024 MaximumAllocationSize : 0
   +0x028 VirtualMemoryThreshold : 0
   +0x02c ProcessHeapFlags : 0
   +0x030 ProcessAffinityMask : 0
   +0x034 CSDVersion       : 0
   +0x036 Reserved1        : 0x800
   +0x038 EditList         : 0
   +0x03c SecurityCookie   : 0x76334b94
   +0x040 SEHandlerTable   : 0x7626db60
   +0x044 SEHandlerCount   : 3

`对于大多数系统 DLL，Reserved1 字段似乎设置为 0x800。看起来这个字段的存在也改变了 Ldrp 的行为。有谁知道这个字段是关于什么的以及其中可能的标志值是什么？

Answer 1

好的。我已经想通了。 IMAGE_LOAD_CONFIG_DIRECTORY32 中的 Reserved1 字段现在用于控制依赖模块的加载方式。到目前为止，我在系统 dll 中找到的唯一值是 0x0800。如果存在此标志，则仅在系统目录中搜索依赖模块。

如果您对详细信息感兴趣 - 请继续阅读。

ModLoad: 4ef80000 4f041000   C:\vlh\pplus\builds\2016.09.23\OciVOB\DevInstall_debug\x86\cache\$Pcrt4.dll
    eax=00000000 ebx=00800000 ecx=01b6f6c1 edx=0000008c esi=00000000 edi=002e8000
    eip=77e6de8c esp=01b6f9c4 ebp=01b6fa20 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    ntdll!NtMapViewOfSection+0xc:


// Module $Pcrt4 being mapped
0:003> kbn
 # ChildEBP RetAddr  Args to Child              
00 01b6f9c0 77e324c9 000000d8 ffffffff 0174d040 ntdll!NtMapViewOfSection+0xc        // Arg3 - Pointer to DllBase in  _LDR_DATA_TABLE_ENTRY (offset 18)
01 01b6fa20 77e3209a 01748590 00000000 0174d040 ntdll!LdrpMapViewOfSection+0x76     
02 01b6fa70 77e31fc7 00008020 01b6fa8c 0174bf10 ntdll!LdrpMapImage+0x40
03 01b6fa90 77e2ef85 c0000135 0174d028 0174bf10 ntdll!LdrpMapDllWithSectionHandle+0x20
04 01b6fae8 77e2f21d 77f0eb60 0174bf10 00000000 ntdll!LdrpMapDllNtFileName+0xde
05 01b6fc94 77e31ebf 4a35c2d6 77f0eb60 0174bf30 ntdll!LdrpMapDllSearchPath+0x1e1
06 01b6fce4 77e34d09 01b6feac 01744d78 01746878 ntdll!LdrpProcessWork+0x84
07 01b6fcf4 77e37538 01b6feac 00000000 01744d78 ntdll!LdrpWorkCallback+0x59
08 01b6fde4 77e363b6 01b6feac 01744df0 4a35c1b2 ntdll!TppWorkpExecuteCallback+0x1e8
09 01b6ff80 75ca62c4 01745940 75ca62a0 48108a65 ntdll!TppWorkerThread+0x396
0a 01b6ff94 77e60609 01745940 4a35c1ee 00000000 KERNEL32!BaseThreadInitThunk+0x24
0b 01b6ffdc 77e605d4 ffffffff 77e82516 00000000 ntdll!__RtlUserThreadStart+0x2f
0c 01b6ffec 00000000 77e36020 01745940 00000000 ntdll!_RtlUserThreadStart+0x1b

0:003> !dlls 0x0174d028

0x0174d028: C:\vlh\pplus\builds\2016.09.23\OciVOB\DevInstall_debug\x86\cache\$Pcrt4.dll
      Base   0x00000000  EntryPoint  0x00000000  Size        0x00000000    DdagNode     0x0174bfa8
      Flags  0x00000064  TlsIndex    0x00000000  LoadCount   0x00000001    NodeRefCount 0x00000000

// ldrDataTableEntry before loadConfig was processed
0:003> dt _LDR_DATA_TABLE_ENTRY 0x0174d028
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x77f0ebec - 0x174cda0 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x77f0ebf4 - 0x174cda8 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x018 DllBase          : (null) 
   +0x01c EntryPoint       : (null) 
   +0x020 SizeOfImage      : 0
   +0x024 FullDllName      : _UNICODE_STRING "C:\vlh\pplus\builds\2016.09.23\OciVOB\DevInstall_debug\x86\cache\$Pcrt4.dll"
   +0x02c BaseDllName      : _UNICODE_STRING "$Pcrt4.dll"
   +0x034 FlagGroup        : [4]  "d"
   +0x034 Flags            : 0x64
   +0x034 PackagedBinary   : 0y0
   +0x034 MarkedForRemoval : 0y0
   +0x034 ImageDll         : 0y1
   +0x034 LoadNotificationsSent : 0y0
   +0x034 TelemetryEntryProcessed : 0y0
   +0x034 ProcessStaticImport : 0y1
   +0x034 InLegacyLists    : 0y1
   +0x034 InIndexes        : 0y0
   +0x034 ShimDll          : 0y0
   +0x034 InExceptionTable : 0y0
   +0x034 ReservedFlags1   : 0y00
   +0x034 LoadInProgress   : 0y0
   +0x034 LoadConfigProcessed : 0y0
   +0x034 EntryProcessed   : 0y0
   +0x034 ProtectDelayLoad : 0y0
   +0x034 ReservedFlags3   : 0y00
   +0x034 DontCallForThreads : 0y0
   +0x034 ProcessAttachCalled : 0y0
   +0x034 ProcessAttachFailed : 0y0
   +0x034 CorDeferredValidate : 0y0
   +0x034 CorImage         : 0y0
   +0x034 DontRelocate     : 0y0
   +0x034 CorILOnly        : 0y0
   +0x034 ReservedFlags5   : 0y000
   +0x034 Redirected       : 0y0
   +0x034 ReservedFlags6   : 0y00
   +0x034 CompatDatabaseProcessed : 0y0
   +0x038 ObsoleteLoadCount : 6
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x77f0ea68 - 0x77f0ea68 ]
   +0x044 TimeDateStamp    : 0
   +0x048 EntryPointActivationContext : (null) 
   +0x04c Lock             : (null) 
   +0x050 DdagNode         : 0x0174bfa8 _LDR_DDAG_NODE
   +0x054 NodeModuleLink   : _LIST_ENTRY [ 0x174bfa8 - 0x174bfa8 ]
   +0x05c LoadContext      : 0x0174bf10 _LDRP_LOAD_CONTEXT
   +0x060 ParentDllBase    : (null) 
   +0x064 SwitchBackContext : (null) 
   +0x068 BaseAddressIndexNode : _RTL_BALANCED_NODE
   +0x074 MappingInfoIndexNode : _RTL_BALANCED_NODE
   +0x080 OriginalBase     : 0
   +0x088 LoadTime         : _LARGE_INTEGER 0x0
   +0x090 BaseNameHashValue : 0xc03583f1
   +0x094 LoadReason       : 0 ( LoadReasonStaticDependency )
   +0x098 ImplicitPathOptions : 0
   +0x09c ReferenceCount   : 2
   +0x0a0 DependentLoadFlags : 0

// loadConfig Processing:
0:003> k
 # ChildEBP RetAddr  
00 01b6fa4c 77e3260f ntdll!LdrpCfgProcessLoadConfig+0x37
01 01b6fa78 77e31fe3 ntdll!LdrpProcessMappedModule+0x110
02 01b6fa90 77e2ef85 ntdll!LdrpMapDllWithSectionHandle+0x3c
03 01b6fae8 77e2f21d ntdll!LdrpMapDllNtFileName+0xde
04 01b6fc94 77e31ebf ntdll!LdrpMapDllSearchPath+0x1e1
05 01b6fce4 77e34d09 ntdll!LdrpProcessWork+0x84
06 01b6fcf4 77e37538 ntdll!LdrpWorkCallback+0x59
07 01b6fde4 77e363b6 ntdll!TppWorkpExecuteCallback+0x1e8
08 01b6ff80 75ca62c4 ntdll!TppWorkerThread+0x396
09 01b6ff94 77e60609 KERNEL32!BaseThreadInitThunk+0x24
0a 01b6ffdc 77e605d4 ntdll!__RtlUserThreadStart+0x2f
0b 01b6ffec 00000000 ntdll!_RtlUserThreadStart+0x1b

    ldrDataTableEntry.DependentLoadFlags = loadConfig.Reserved1;

// LdrpMapDllSearchPath looking at the ldrDataTableEntry.DependentLoadFlags
0:003> k
 # ChildEBP RetAddr  
00 01b6fc94 77e31ebf ntdll!LdrpMapDllSearchPath+0x259
01 01b6fce4 77e34d09 ntdll!LdrpProcessWork+0x84
02 01b6fcf4 77e37538 ntdll!LdrpWorkCallback+0x59
03 01b6fde4 77e363b6 ntdll!TppWorkpExecuteCallback+0x1e8
04 01b6ff80 75ca62c4 ntdll!TppWorkerThread+0x396
05 01b6ff94 77e60609 KERNEL32!BaseThreadInitThunk+0x24
06 01b6ffdc 77e605d4 ntdll!__RtlUserThreadStart+0x2f
07 01b6ffec 00000000 ntdll!_RtlUserThreadStart+0x1b

LdrpMapDllSearchPath()
{
77e2f28f 8b91a0000000    mov     edx,dword ptr [ecx+0A0h]                           //  edx = ldrDataTableEntry.DependentLoadFlags;
77e2f295 85d2            test    edx,edx                                            //  if(edx == 0) {
77e2f297 7520            jne     ntdll!LdrpMapDllSearchPath+0x27d (77e2f2b9)
77e2f299 e90afeffff      jmp     ntdll!LdrpMapDllSearchPath+0x6c (77e2f0a8)
-----------------------------------------------------------------------------------------------------------------------------------
77e2f0a8 6a50            push    50h                                                //      memset(pathConfig, 0, sizeof(pathConfig);
77e2f0aa 52              push    edx
77e2f0ab 8d842450010000  lea     eax,[esp+150h]
77e2f0b2 50              push    eax
77e2f0b3 e8d84e0400      call    ntdll!memset (77e73f90)
77e2f0b8 83a4246001000000 and     dword ptr [esp+160h],0
77e2f0c0 83c40c          add     esp,0Ch
77e2f0c3 83a4245801000000 and     dword ptr [esp+158h],0
77e2f0cb 8b4b08          mov     ecx,dword ptr [ebx+8]          
                                                                                    //  L1:
77e2f0ce 894c2424        mov     dword ptr [esp+24h],ecx                            //      
77e2f0d2 0fb6430c        movzx   eax,byte ptr [ebx+0Ch]
77e2f0d6 8d54241c        lea     edx,[esp+1Ch]
77e2f0da 52              push    edx
77e2f0db 8d542413        lea     edx,[esp+13h]
77e2f0df c1e803          shr     eax,3
77e2f0e2 52              push    edx
77e2f0e3 8d542418        lea     edx,[esp+18h]
77e2f0e7 83e001          and     eax,1
77e2f0ea 52              push    edx
77e2f0eb 8d542434        lea     edx,[esp+34h]
77e2f0ef 52              push    edx
77e2f0f0 8d542450        lea     edx,[esp+50h]
77e2f0f4 52              push    edx
77e2f0f5 8d54244c        lea     edx,[esp+4Ch]
77e2f0f9 52              push    edx
77e2f0fa 8bd1            mov     edx,ecx
77e2f0fc 8bcb            mov     ecx,ebx
77e2f0fe 50              push    eax
77e2f0ff e818100000      call    ntdll!LdrpSearchPath (77e3011c)                    //      LdrpSearchPath(...);
77e2f104 807c240f00      cmp     byte ptr [esp+0Fh],0
77e2f109 8bf8            mov     edi,eax
77e2f10b 0f85b9ae0500    jne     ntdll!LdrpMapDllSearchPath+0x5af8e (77e89fca)
                                                                                    //      ...

                                                                                    //  }
-----------------------------------------------------------------------------------------------------------------------------------
                                                                                    //  else {
77e2f2b9 8b4928          mov     ecx,dword ptr [ecx+28h]
77e2f2bc 8d842448010000  lea     eax,[esp+148h]
77e2f2c3 50              push    eax
77e2f2c4 83ca01          or      edx,1                                              //      dependentLoadFlags |= 1;
77e2f2c7 e895090100      call    ntdll!LdrpInitializeDllPath (77e3fc61)             //      LdrpInitializePath(...);
77e2f2cc 8d8c2448010000  lea     ecx,[esp+148h]
77e2f2d3 e9f6fdffff      jmp     ntdll!LdrpMapDllSearchPath+0x92 (77e2f0ce)         //      goto L1;
                                                                                    //  }
------------------------------------------------------------------------------------------------------------------------------------
}