The image loader or also known internally as Ldr, is responsible for most of the initialization work of a user-mode process and resides in the user-mode system DLL (Ntdll.dll) and not in the kernel library.

References:

• https://en.wikipedia.org/wiki/Loader_(computing)#:~:text=In%20computer%20systems%20a%20loader,and%20prepares%20them%20for%20execution.

• https://learn.microsoft.com/en-us/sysinternals/resources/windows-internals

Image loader

Note: This is the first piece of code that runs in user mode as part of a new process.

Main task

• Initializing the user-mode state for the application.

• Parsing the import table (IAT) of the application to find all the DLL files that the program requires.

• Loading and unloading DLLs at runtime/memory.

• Handling manifest files, needed for SxS support.

• Enabling support for API Sets and API redirection