GetProcAddress weird return address
Question
Someone explain why the next code returns a pointer inside ntdll.dll?
GetProcAddress(LoadLibraryA("kernel32.dll"), "EncodePointer");
GetProcAddress(LoadLibraryA("kernel32.dll"), "DecodePointer");
PS: If call the function pointed by kernel32's export table a breakpoint is thrown.
2 answers
solution1
7 ACCPTED 2012-06-13 21:12:55
This is a simple case of export forwarding , as described in one of Matt Pietrek's excellent MSDN magazine articles, An In-Depth Look into the Win32 Portable Executable File Format, Part 2 .
You can verify this yourself with a tool like Dependency Walker or dumpbin.
dumpbin /exports kernel32.dll | grep codePointer
205 CC DecodePointer (forwarded to NTDLL.RtlDecodePointer)
240 EF EncodePointer (forwarded to NTDLL.RtlEncodePointer)
solution2
5 2012-06-13 21:13:03
It's called DLL forwarding/redirection or function alias. Defining of an export entry is:
entryname[=internalname] [@ordinal [NONAME]] [PRIVATE] [DATA]
So, entryname can be define
EncodePointer=ntdll.RtlEncodePointer
To check:
C:\>findaddress ntdll.dll RtlEncodePointer
ntdll.dll : 7C900000
RtlEncodePointer@ntdll.dll: 7C9132D9
C:\>findaddress kernel32.dll EncodePointer
kernel32.dll : 7C800000
EncodePointer@kernel32.dll: 7C9132D9
(findaddress is my personal tool to do this task quickly)
You can see more in here: http://msdn.microsoft.com/en-us/library/hyx1zcd3(v=vs.80).aspx
PS: I think this is good question. That's not wrong if you want to write small program (even a malware) to research purpose!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.