The previous article described was a small descritpion of the loading process through the LDR_DATA structure. We got the information that the process tries to load 'ntdll.dll'. Now we have to solve what exact functions will be used in this program.
0x0040105c push dword [eax+0x8] 0x0040105f call 0x401077
- eax contains the LDR_MODULE struct and the addition of 0x8 will get the BaseAddress. After that we call 0x40177 and push 0x00401064 to the stack.