0

Someone explain why the next code returns a pointer inside ntdll.dll?

GetProcAddress(LoadLibraryA("kernel32.dll"), "EncodePointer");
GetProcAddress(LoadLibraryA("kernel32.dll"), "DecodePointer");

PS: If call the function pointed by kernel32's export table a breakpoint is thrown.

Matt
  • 22,721
  • 17
  • 71
  • 112
greenboxal
  • 469
  • 3
  • 16
  • 2
    Looks like that's where those functions live, on your version of Windows. In the good old days, malware writers had to do it all without Stack Overflow. – David Heffernan Jun 13 '12 at 20:44
  • if you do not have a very good answer for this question, i believe this is not welcome here on SO – Mare Infinitus Jun 13 '12 at 20:50
  • 1
    This is not a malware, is a AntiHack solution for games, like nProtect GameGuard, AhnLab HackShield, etc. – greenboxal Jun 13 '12 at 20:50
  • 6
    Since when were rootkits not malware? – David Heffernan Jun 13 '12 at 20:54
  • You must not judge it by what it do, but by what it must do. In this case protect games from cheaters and hack stuff :) – greenboxal Jun 13 '12 at 20:56
  • Since when do 15-year-olds write security software? – Daniel Kamil Kozar Jun 13 '12 at 21:09
  • Since I'm a developer of Ragnarök Online international server emulator community(rAthena) and administrator of the Brazilian branch. The actual solutions for this are too expensive(corporative software that I described in the thread) or are inefficient. Now I'm creating my own solution to sell for game servers owners protect their servers. – greenboxal Jun 13 '12 at 21:20
  • All this talk about you writing a rootkit is just going to wind people up. You could simply remove all such content from the question and ask about why `GetProcAddress` returns an address in a different module. That's a perfectly good question which is easily answered. If you want to write rootkits, so be it, but it's best to keep quiet about that I feel. – David Heffernan Jun 13 '12 at 21:23
  • Since people have started programming in diapers. – Jim Balter Jun 13 '12 at 21:46

2 Answers2

7

This is a simple case of export forwarding, as described in one of Matt Pietrek's excellent MSDN magazine articles, An In-Depth Look into the Win32 Portable Executable File Format, Part 2.

You can verify this yourself with a tool like Dependency Walker or dumpbin.

dumpbin /exports kernel32.dll | grep codePointer

    205   CC          DecodePointer (forwarded to NTDLL.RtlDecodePointer)
    240   EF          EncodePointer (forwarded to NTDLL.RtlEncodePointer)
David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • 2
    This article explains how you can detect such a forwarded export: http://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files#Forwarding – David Heffernan Jun 13 '12 at 21:23
5

It's called DLL forwarding/redirection or function alias. Defining of an export entry is:

entryname[=internalname] [@ordinal [NONAME]] [PRIVATE] [DATA]

So, entryname can be define 

EncodePointer=ntdll.RtlEncodePointer

To check:

C:\>findaddress ntdll.dll RtlEncodePointer
ntdll.dll : 7C900000
RtlEncodePointer@ntdll.dll: 7C9132D9

C:\>findaddress kernel32.dll EncodePointer
kernel32.dll : 7C800000
EncodePointer@kernel32.dll: 7C9132D9

(findaddress is my personal tool to do this task quickly)

You can see more in here: http://msdn.microsoft.com/en-us/library/hyx1zcd3(v=vs.80).aspx

PS: I think this is good question. That's not wrong if you want to write small program (even a malware) to research purpose!

oDisPo
  • 187
  • 1
  • 5
  • Is there any wrong? Maybe you have something wrong, programmer! And I'm sure, I can find some security bugs (buffer overflow, integer overflow ...) in your C/C++ code. – oDisPo Jun 13 '12 at 21:24
  • The article you link to has no discussion of forwarded exports, and the output of your private tool is of little use to the rest of us? There are plenty of tools that will list forwarded exports. – David Heffernan Jun 13 '12 at 21:32
  • It's have, in the "Community content". But I show this link just to reference about defined of an export entry. Question is about a dll export function, so, it's good to see how an export entry is defined and answer the question. My personal tool is so simple, anyone can write it :) – oDisPo Jun 13 '12 at 21:44