- At this point control is passed into LdrpRunInitializeRoutines,
which is an internal NTDLL.DLLroutine responsible for initializing all
statically linked DLLs currently loaded into the address space. The ini-
tialization process consists of calling each DLL’s entry point with the
DLL_PROCESS_ATTACHconstant. - Once all DLLs are initialized, LdrpInitializecalls the thread’s real
initialization routine, which is the BaseProcessStartfunction from
KERNEL32.DLL. This function in turn calls the executable’s WinMain
entry point, at which point the process has completed its initialization
sequence.
Application Programming Interfaces
An application programming interface(API) is a set of functions that the operat-
ing system makes available to application programs for communicating with
the operating system. If you’re going to be reversing under Windows, it is
imperative that you develop a solid understanding of the Windows APIs and of
the common methods of doing things using these APIs.The Win32 API
I’m sure you’ve heard about the Win32 API. The Win32 is a very large set of
functions that make up the official low-level programming interface for Win-
dows applications. Initially when Windows was introduced, numerous pro-
grams were actually developed using the Win32 API, but as time went by
Microsoft introduced simpler, higher-level interfaces that exposed most of the
features offered by the Win32 API. The most well known of those interfaces is
MFC (Microsoft Foundation Classes), which is a hierarchy of C++ objects that
can be used for interacting with Windows. Internally, MFC uses the Win32 API
for actually calling into the operating system. These days, Microsoft is pro-
moting the use of the .NET Frameworkfor developing Windows applications.
The .NET Framework uses the Systemclass for accessing operating system
services, which is again an interface into the Win32 API.
The reason for the existence of all of those artificial upper layers is that the
Win32 API is not particularly programmer-friendly. Many operations require
calling a sequence of functions, often requiring the initialization of large data
structures and flags. Many programmers get frustrated quickly when using
the Win32 API. The upper layers are much more convenient to use, but they
incur a certain performance penalty, because every call to the operating system
has to go through the upper layer. Sometimes the upper layers do very little,
and at other times they contain a significant amount of “bridging” code.88 Chapter 3