有人解释为什么下一个代码会在ntdll.dll中返回一个指针?
GetProcAddress(LoadLibraryA("kernel32.dll"), "EncodePointer");
GetProcAddress(LoadLibraryA("kernel32.dll"), "DecodePointer");
PS:如果调用kernel32的导出表指向的函数,则抛出断点。
答案 0 :(得分:7)
这是导出转发的简单案例,如Matt Pietrek的优秀MSDN杂志文章An In-Depth Look into the Win32 Portable Executable File Format, Part 2中所述。
您可以使用Dependency Walker或dumpbin等工具自行验证。
dumpbin /exports kernel32.dll | grep codePointer
205 CC DecodePointer (forwarded to NTDLL.RtlDecodePointer)
240 EF EncodePointer (forwarded to NTDLL.RtlEncodePointer)
答案 1 :(得分:5)
它称为DLL转发/重定向或功能别名。 定义出口条目是:
entryname[=internalname] [@ordinal [NONAME]] [PRIVATE] [DATA]
因此,entryname可以定义
EncodePointer=ntdll.RtlEncodePointer
检查:
C:\>findaddress ntdll.dll RtlEncodePointer
ntdll.dll : 7C900000
RtlEncodePointer@ntdll.dll: 7C9132D9
C:\>findaddress kernel32.dll EncodePointer
kernel32.dll : 7C800000
EncodePointer@kernel32.dll: 7C9132D9
(findaddress是我个人工具,可以快速完成此任务)
您可以在此处查看更多内容: http://msdn.microsoft.com/en-us/library/hyx1zcd3(v=vs.80).aspx
PS:我认为这是个好问题。如果你想将小程序(甚至是恶意软件)编写成研究目的,那没有错!