I am using Windows 7 Professional x64.
我使用的是Windows 7专业x64。
I need to hook DefWindowProcW procedure. But when I try to get it's address via GetProcAddress(), it returns address of NtdllDefWindowProcW(), which is located in ntdll.dll. There is a jump to real user32 function DefWindowProcW() at the beginning of NtdllDefWindowProcW().
我需要使用DefWindowProcW程序。但是,当我试图通过GetProcAddress()获取它的地址时,它返回NtdllDefWindowProcW()地址,该地址位于ntdll.dll中。在NtdllDefWindowProcW()的开头,有一个跳转到真正的user32函数DefWindowProcW()。
Is there a way to get real procedure address instead of ntdll procedure?
有没有一种方法可以获得真正的过程地址而不是ntdll程序?
1 个解决方案
#1
2
This is what is known as a forwarded export. The function was implemented in user32 in earlier versions of Windows. But at some point, Microsoft decided to move it into ntdll. In order to avoid breaking application the user32 export forwards to the function named "NtdllDefWindowProc_W" in ntdll.
这就是所谓的转发导出。该函数在Windows的早期版本中在user32中实现。但在某个时候,微软决定把它搬到ntdll。为了避免在ntdll中将user32导出转发到名为“NtdllDefWindowProc_W”的函数。
The forwarded address in ntdll is where the function is actually implemented. That it might subsequently call into user32 is an implementation detail. So, if you want to hook DefWindowProcW, you can perfectly well hook the address returned by your call to
ntdll中的转发地址是函数实际实现的地方。它随后可能调用user32是一个实现细节。因此,如果您想要hook DefWindowProcW,您可以很好地钩住您的调用返回的地址。
GetProcAddress(GetModuleHandle("user32.dll"), "DefWindowProcW")
#1
2
This is what is known as a forwarded export. The function was implemented in user32 in earlier versions of Windows. But at some point, Microsoft decided to move it into ntdll. In order to avoid breaking application the user32 export forwards to the function named "NtdllDefWindowProc_W" in ntdll.
这就是所谓的转发导出。该函数在Windows的早期版本中在user32中实现。但在某个时候,微软决定把它搬到ntdll。为了避免在ntdll中将user32导出转发到名为“NtdllDefWindowProc_W”的函数。
The forwarded address in ntdll is where the function is actually implemented. That it might subsequently call into user32 is an implementation detail. So, if you want to hook DefWindowProcW, you can perfectly well hook the address returned by your call to
ntdll中的转发地址是函数实际实现的地方。它随后可能调用user32是一个实现细节。因此,如果您想要hook DefWindowProcW,您可以很好地钩住您的调用返回的地址。
GetProcAddress(GetModuleHandle("user32.dll"), "DefWindowProcW")