Printable View
I am confused as to how a process gets virtual address space and then the OS maps the exe and also maps the references to the DLL used for windows api. When the software interrupt occurs the system goes into kernel mode and I would think that the kernel would then load the DLL into memory...but wait, isn't the user process supposed to load the DLL ? How does the reference of the DLL go from user space to loading the DLL in kernel space?
The best book for this sort of explanation of how the internals of windows work is
Windows Internals by Mark Rossinovich
http://www.amazon.co.uk/Windows-Inte..._bxgy_b_text_y
There are part1 and part2. Part 2 covers memory.
by reading the section on memory management, basically what I got from it is that a user process is able to load a DLL into kernel space and then the processor switches modes to kernel mode in order to call the function from the DLL and execute it. Can someone please confirm that this is how it works? thank you.
You're going to get more responses if you post in the appropriate forum:
C++ and WinAPI
an exe or dll is never "loaded in memory".
the exe/dll image is mapped into the virtual process space, and any pages being accessed are paged in (and later discarded) as per system demand.
On Win32: The upper part of the virtual memory range is reserved for the kernel, when the exe starts, the OS will map the appropriate parts of the kernel there so the various system dll's (mainly ntdll) can call into the kernel.
onWin64: the same is true for WIn64 apps
Win32 on Win64 is a bit different, the OS doesn't need to map any kernel into the 32bit application space since calling into the kernel is done by a switch to 64bit mode (from the system dlls).