Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

w2000 HeapAlloc and RtlAllocateHeap

Posted on 2000-05-11
10
Medium Priority
?
753 Views
Last Modified: 2013-12-03
I have an NT program that calls HeapAlloc by specifying the import from KERNEL32.DLL

When I debug the application using MSVC I see that the code that should be calling the HeapAlloc function in KERNEL32.DLL is instead pointing to RtlAllocateHeap in NTDLL.DLL

Now this would not normally matter but it is important for me because of the following reasons.

I am writing a 'wrapper' which encrypts the original exe file and when I unwrap it I effectively carry out the functions of the Windows loader and automatically point the import to the HeapAlloc in KERNEL32.DLL as specified in the import table.

On running the program however it causes an exception shortly after entering HeapAlloc.

Looking at other 'Heap' routines such as HeapCreate I can see that they are pointing to the ones I expect in KERNEL32.DLL.

Question.
What is causing this effect?
How can I emulate the windows loader to change this (and perhaps other imports) which are being forced from one dll to another?
0
Comment
Question by:icd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 12

Accepted Solution

by:
pjknibbs earned 400 total points
ID: 2801989
Under NT the HeapAlloc() function does not actually exist anywhere on the system--any code which calls it is automatically forwarded to this RtlAllocateHeap() function you've come across. (This is an instance of Win32 function forwarding, which is a feature of Win32 DLLs). It's implemented like this because the heap allocation procedure has to work at a lower level than KERNEL32.DLL allows. If you called GetProcAddress() with the HeapAlloc implementation in KERNEL32 it would silently call itself to find the right entrypoint in NTDLL.DLL, which may or may not help your other situation. To be honest trying to emulate the Windows loader is going to be very difficult under NT, which does a lot of its work at a level you can't access from user-mode code.
0
 
LVL 5

Author Comment

by:icd
ID: 2802096
pjknibbs

Are there any resources you are aware of that explain this action? Do you know if this type of forwarding is used on any other call other than HeapAlloc or can it be done on any call?
0
 
LVL 15

Expert Comment

by:NickRepin
ID: 2802180
HeapReAlloc, HeapSize, xxxCriticalSection
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 15

Expert Comment

by:NickRepin
ID: 2802203
0
 
LVL 12

Expert Comment

by:pjknibbs
ID: 2803247
icd: You can find out which calls in a DLL are forwarded by using DUMPBIN /EXPORTS on it. I tried this with KERNEL32 and it listed four of the HeapXXXX functions, plus critical section functions, as "forwarded to XXX".

You can set your own DLLs up to have forwarded functions, but the documentation on how to do it is woefully skimpy.
0
 
LVL 5

Author Comment

by:icd
ID: 2804800
pjknibbs
You were the first to explain what was going on.

NickRepin
Your web references were exactly what I needed to change my code (which now works!)

I feel that NickRepin deserves the points since his comment was the most relevent to my solving the problem but I don't want to upset pjnibbs.
0
 
LVL 12

Expert Comment

by:pjknibbs
ID: 2805922
You have two choices:

1) Ignore my contribution, since, as you admit, NickRepin's references solved your problem.

2) Split the points by asking in the Community Support section if they'll split the question.
0
 
LVL 3

Expert Comment

by:darinw
ID: 2808340
Community Support has reduced points from 200 to 100
0
 
LVL 3

Expert Comment

by:darinw
ID: 2808341
Hello everyone,

Reducing points to one half to allow for split.

You can now accept one of the comments in this thread as an answer. To award the other Expert, you can create a new question in this topic area with a title of 'For ExpertName -- 10345456' using that Experts username.

Remember, the Accept Comment as Answer button is in the header of the comment.

For your convenience, you can use this link to create the new question:
http://www.experts-exchange.com/bin/NewQForm?ta=45

darinw
Customer Service
0
 
LVL 5

Author Comment

by:icd
ID: 2808868
pjknibbs
Thanks for your help, once again E-E comes through!

NickRepin.
I will post another question for you to 'answer'.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to add a user-defined command button to the Windows 7 Explorer toolbar.  In the previous article (http://www.experts-exchange.com/A_2172.html), we saw how to put the Delete button back there where it belongs.  "Delete" is …
This article surveys and compares options for encoding and decoding base64 data.  It includes source code in C++ as well as examples of how to use standard Windows API functions for these tasks. We'll look at the algorithms — how encoding and decodi…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question