GetProcAddress奇怪的返回地址

时间:2012-06-13 20:38:10

标签: c windows loadlibrary getprocaddress pointer-address

有人解释为什么下一个代码会在ntdll.dll中返回一个指针?

GetProcAddress(LoadLibraryA("kernel32.dll"), "EncodePointer");
GetProcAddress(LoadLibraryA("kernel32.dll"), "DecodePointer");

PS:如果调用kernel32的导出表指向的函数,则抛出断点。

2 个答案:

答案 0 :(得分:7)

这是导出转发的简单案例,如Matt Pietrek的优秀MSDN杂志文章An In-Depth Look into the Win32 Portable Executable File Format, Part 2中所述。

您可以使用Dependency Walker或dumpbin等工具自行验证。

dumpbin /exports kernel32.dll | grep codePointer

    205   CC          DecodePointer (forwarded to NTDLL.RtlDecodePointer)
    240   EF          EncodePointer (forwarded to NTDLL.RtlEncodePointer)

答案 1 :(得分:5)

它称为DLL转发/重定向或功能别名。 定义出口条目是:

entryname[=internalname] [@ordinal [NONAME]] [PRIVATE] [DATA]

因此,entryname可以定义

EncodePointer=ntdll.RtlEncodePointer

检查:

C:\>findaddress ntdll.dll RtlEncodePointer
ntdll.dll : 7C900000
RtlEncodePointer@ntdll.dll: 7C9132D9

C:\>findaddress kernel32.dll EncodePointer
kernel32.dll : 7C800000
EncodePointer@kernel32.dll: 7C9132D9

(findaddress是我个人工具,可以快速完成此任务)

您可以在此处查看更多内容: http://msdn.microsoft.com/en-us/library/hyx1zcd3(v=vs.80).aspx

PS:我认为这是个好问题。如果你想将小程序(甚至是恶意软件)编写成研究目的,那没有错!