Using NuMega SoftICE

Program modules (EXE, DLL) and SoftICE "QUERY" command.

"QUERY" is one of the most useful SoftICE commands. It shows a map of various modules loaded in an user process space.

The following figure shows you the output of "QUERY" command before and after Win32 API LoadLibrary call. As you can see, before Windows loads "MyDll.dll" in response to LoadLibrary, the process contains only initial set of modules including several heaps, read-only tables (e.g. unicode and locale) and minimal Windows system DLLs. Of course, the application for which the process is created, "MyTable.exe" is loaded at 0x400000.

When Windows loads "MyDll.Dll", SoftICE echoes "load notification" in the form of "NTICE: ...". You see that "MyDll.dll" is loaded at address 0x10000000. Note that alog with "MyDll.dll", Windows is also loaded "USER32", "GDI32", "ADVAPI32" and "RPC" system DLLs.

After LoadLibrary, the output of "QUERY" command shows the newly loaded modules, plus some heaps that are probably set up by one of the modules loaded.

Finally, you see unloading of "MyDll" from the process when Win32 API FreeLibrary is called. At this moment, if you issue "QUERY" command again, you will no longer see "MyDll" in the output, BUT you will still see "USER32", "GDI32", and other DLLs still loaded! This is probably because Windows uses "lazy" policy for unloading modules - unload it only if explicitly told to do so.


 contact guestbook | control panel 
1998-2000 Tsuyoshi Watanabe. All rights reserved.