Geoff Chappell, Software Analyst
API-MS-Win-Core-RtlSupport-L1-1-0
All functions in the API-MS-Win-Core-RtlSupport-L1-1-0 set are exports from both
KERNEL32 and NTDLL, mostly from x64 builds only:
- RtlAddFunctionTable (x64 only)
- RtlCaptureContext
- RtlCaptureStackBackTrace
- RtlCompareMemory (x64 only)
- RtlCopyMemory (x64 only)
- RtlDeleteFunctionTable (x64 only)
- RtlFillMemory
- RtlInstallFunctionTableCallback (x64 only)
- RtlLookupFunctionEntry (x64 only)
- RtlPcToFileHeader (x64 only)
- RtlRaiseException (x64 only)
- RtlRestoreContext (x64 only)
- RtlUnwind
- RtlUnwindEx (x64 only)
- RtlVirtualUnwind (x64 only)
For most of these functions, the implementations in KERNEL32 version 6.1 and
higher are just stubs which transfer the handling to wherever the schema redirects
the API Set. The exceptions are:
- RtlCopyMemory and
RtlFillMemory, which are implemented completely
in KERNEL32.
Non-trivial implementations of all functions in this API Set are exported from
NTDLL version 6.1 and higher.
Schema Redirection
The Windows 7 schema redirects this API Set to NTDLL. Thus:
- high-level executables, which do not use the API Set, continue to import these
functions from KERNEL32;
- low-level executables have their imports from the API Set redirected to NTDLL;
- as a particular case of the preceding, the stub implementations in KERNEL32
import from underlying implementations in NTDLL.