Reputation: 2447
Is 0x0000ffff the default load count of a dll in windows?
Using windbg, got the list of dlls with load count by !dlls command. Observed that the load count is 0x0000ffff for many loaded dlls.
Is that a default value ?
Is that mean anything else ?
0x00262fa8: C:\WINDOWS\system32\ole32.dll
Base 0x774e0000 EntryPoint 0x774fd0b9 Size 0x0013d000
Flags 0x80084006` LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_STATIC_LINK
LDRP_IMAGE_DLL
LDR**strong text**P_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
Upvotes: 3
Views: 1010
Answers (2)
Reputation: 1
Additional information to the selected answer:
If the DLL is not linked statically (no LDRP_STATIC_LINK flag present), it also can mean that the DLL may be loaded with the GET_MODULE_HANDLE_EX_FLAG_PIN flag using GetModuleHandleExA causing the reference count to be 0xffff. This prevents unloading the DLL no matter how many times FreeLibrary is called.
Upvotes: 0
Reputation: 340218
From The Covert Way to find the Reference Count of DLL:
The load count for a DLL is a 16-bit value. If that value, treated as a signed short, is -1 (0xfffff) it indicates the DLL is statically linked, otherwise it's dynamically loaded.
Upvotes: 4
Related Questions
- what does '0n0' mean?
- What is the default value of the Zero Flag in x86 assembly MASM?
- When loading a DLL File, is the entry point of the DLL File also called?
- DLL LoadCount on Windows 8
- Meaning of windbg !dlls output
- Why do assembly call address have 0xFBFFFFFF added to them?
- DLL load in Windows
- Is a DLL loaded entirely or only some functions?
- What is Unloaded Type in Windbg?
- DLL Number and Load Performance