TiGa
March 28th, 2008, 03:07
I came across a weird problem caused by Vista SP1 that prevents "unforwarding" some imports by ImpREC or similar programs.
I've seen it happen on user32.dll and did a bit of spelunking:
DefWindowProcA and DefWindowProcW's AddressOfFunctions entries usually lead to a string that forwards them to NTDLL.NtdllDefWindowProc_A and NTDLL.NtdllDefWindowProc_W on pretty much all versions of Windows.
After installing Vista SP1, the physical file doesn't seem to have changed.
The "paper trail" to the forwarding string can still be followed as usual.
During run-time, the AddressOfFunctions entries are not the same, they lead outside of the dll's ImageSize and are not constant (0x1793D42 or 0x1B83D42).
ImpREC cannot unforward those 2 APIs successfully so they are still identified as belonging to ntdll.dll, which is not a good thing, I presume.
If the loader can forward the API to ntdll, it must be able to find the forwarding string somehow.
Uninstalling the Service Pack has fixed the problem but I'm still looking for an explanation.
Why such a weird-ass hook?
Why such a weird-ass hook on only those 2 APIs?
How such a weird-ass hook is achieved?
I could be mistaken about this next part but the modified entries seem to lead to code (I need to reinstall the SP to verify this again).
If they effectively lead to code and not the forwarding string, how can the loader know to forward them to ntdll.dll anyway?
TiGa
I've seen it happen on user32.dll and did a bit of spelunking:
DefWindowProcA and DefWindowProcW's AddressOfFunctions entries usually lead to a string that forwards them to NTDLL.NtdllDefWindowProc_A and NTDLL.NtdllDefWindowProc_W on pretty much all versions of Windows.
After installing Vista SP1, the physical file doesn't seem to have changed.
The "paper trail" to the forwarding string can still be followed as usual.
During run-time, the AddressOfFunctions entries are not the same, they lead outside of the dll's ImageSize and are not constant (0x1793D42 or 0x1B83D42).
ImpREC cannot unforward those 2 APIs successfully so they are still identified as belonging to ntdll.dll, which is not a good thing, I presume.
If the loader can forward the API to ntdll, it must be able to find the forwarding string somehow.
Uninstalling the Service Pack has fixed the problem but I'm still looking for an explanation.
Why such a weird-ass hook?
Why such a weird-ass hook on only those 2 APIs?
How such a weird-ass hook is achieved?
I could be mistaken about this next part but the modified entries seem to lead to code (I need to reinstall the SP to verify this again).
If they effectively lead to code and not the forwarding string, how can the loader know to forward them to ntdll.dll anyway?
TiGa