When a process is started on the system, the kernel creates a process object to represent it (see Chapter 5 for more information on processes) and performs various kernel-related initialization tasks. However, these tasks do not result in the execution of the application but merely in the preparation of its context and environment. In fact, unlike drivers, which are kernel-mode code, applications execute in user mode, so most of the actual initialization work is done outside the kernel. This work is performed by the image loader, also internally referred as Ldr.

The image loader lives in the user-mode system DLL Ntdll.dll and not in the kernel library. Therefore, it behaves just like standard code that is part of a DLL, and it is subject ...