icd
asked on
w2000 HeapAlloc and RtlAllocateHeap
I have an NT program that calls HeapAlloc by specifying the import from KERNEL32.DLL
When I debug the application using MSVC I see that the code that should be calling the HeapAlloc function in KERNEL32.DLL is instead pointing to RtlAllocateHeap in NTDLL.DLL
Now this would not normally matter but it is important for me because of the following reasons.
I am writing a 'wrapper' which encrypts the original exe file and when I unwrap it I effectively carry out the functions of the Windows loader and automatically point the import to the HeapAlloc in KERNEL32.DLL as specified in the import table.
On running the program however it causes an exception shortly after entering HeapAlloc.
Looking at other 'Heap' routines such as HeapCreate I can see that they are pointing to the ones I expect in KERNEL32.DLL.
Question.
What is causing this effect?
How can I emulate the windows loader to change this (and perhaps other imports) which are being forced from one dll to another?
When I debug the application using MSVC I see that the code that should be calling the HeapAlloc function in KERNEL32.DLL is instead pointing to RtlAllocateHeap in NTDLL.DLL
Now this would not normally matter but it is important for me because of the following reasons.
I am writing a 'wrapper' which encrypts the original exe file and when I unwrap it I effectively carry out the functions of the Windows loader and automatically point the import to the HeapAlloc in KERNEL32.DLL as specified in the import table.
On running the program however it causes an exception shortly after entering HeapAlloc.
Looking at other 'Heap' routines such as HeapCreate I can see that they are pointing to the ones I expect in KERNEL32.DLL.
Question.
What is causing this effect?
How can I emulate the windows loader to change this (and perhaps other imports) which are being forced from one dll to another?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
HeapReAlloc, HeapSize, xxxCriticalSection
http://msdn.microsoft.com/library/specs/pecoff_section6_3.htm
(see section 6.3.2)
http://msdn.microsoft.com/library/periodic/period96/S202B.htm
These references are all what you need.
(see section 6.3.2)
http://msdn.microsoft.com/library/periodic/period96/S202B.htm
These references are all what you need.
icd: You can find out which calls in a DLL are forwarded by using DUMPBIN /EXPORTS on it. I tried this with KERNEL32 and it listed four of the HeapXXXX functions, plus critical section functions, as "forwarded to XXX".
You can set your own DLLs up to have forwarded functions, but the documentation on how to do it is woefully skimpy.
You can set your own DLLs up to have forwarded functions, but the documentation on how to do it is woefully skimpy.
ASKER
pjknibbs
You were the first to explain what was going on.
NickRepin
Your web references were exactly what I needed to change my code (which now works!)
I feel that NickRepin deserves the points since his comment was the most relevent to my solving the problem but I don't want to upset pjnibbs.
You were the first to explain what was going on.
NickRepin
Your web references were exactly what I needed to change my code (which now works!)
I feel that NickRepin deserves the points since his comment was the most relevent to my solving the problem but I don't want to upset pjnibbs.
You have two choices:
1) Ignore my contribution, since, as you admit, NickRepin's references solved your problem.
2) Split the points by asking in the Community Support section if they'll split the question.
1) Ignore my contribution, since, as you admit, NickRepin's references solved your problem.
2) Split the points by asking in the Community Support section if they'll split the question.
Community Support has reduced points from 200 to 100
Hello everyone,
Reducing points to one half to allow for split.
You can now accept one of the comments in this thread as an answer. To award the other Expert, you can create a new question in this topic area with a title of 'For ExpertName -- 10345456' using that Experts username.
Remember, the Accept Comment as Answer button is in the header of the comment.
For your convenience, you can use this link to create the new question:
https://www.experts-exchange.com/bin/NewQForm?ta=45
darinw
Customer Service
Reducing points to one half to allow for split.
You can now accept one of the comments in this thread as an answer. To award the other Expert, you can create a new question in this topic area with a title of 'For ExpertName -- 10345456' using that Experts username.
Remember, the Accept Comment as Answer button is in the header of the comment.
For your convenience, you can use this link to create the new question:
https://www.experts-exchange.com/bin/NewQForm?ta=45
darinw
Customer Service
ASKER
pjknibbs
Thanks for your help, once again E-E comes through!
NickRepin.
I will post another question for you to 'answer'.
Thanks for your help, once again E-E comes through!
NickRepin.
I will post another question for you to 'answer'.
ASKER
Are there any resources you are aware of that explain this action? Do you know if this type of forwarding is used on any other call other than HeapAlloc or can it be done on any call?