On Tue Feb 4 23:14:59 2025 +0000, Jacek Caban wrote:
Unless I'm missing something, this means that we'd increase `LoadCount` for each lookup, meaning that multiple `GetProcAddress` would keep incrementing it. Is that intentional? My guess would be to do that when adding a new dependency.
In patch 4/5[^1], `add_module_dependency` detects existing reference and decrements[^d] LoadCount back to the previous value. This is true for both static and dynamic dependencies.
In fact static ref is what prompted the need for the deduplication in the first place. Kernel32/kernelbase together has about a hundred export forwarders to ntdll, and not deduplicating them would result in a nontrivial memory bloat.
So, in a sense, `add_module_dependency` holds the final authority over whether we want to actually increase LoadCount or not. In case it's not called because it forwards to ntdll or kernel32, `wm` is simply released[^p] at the end of the function anyway.
[^1]: "ntdll: Don't re-add a module dependency if it already exists." [^d]: Indirectly via `LdrUnloadDll`. [^p]: kernel32 and ntdll are effectively pinned DLLs, so we don't keep their incoming edges. This is consistent with the rest of the loader logic.