GetProcAddress(GetModuleHandle("user32.dll"), "DefWindowProcW") returns address in ntdll

2.8k views Asked by At

I am using Windows 7 Professional x64.

I need to hook DefWindowProcW procedure. But when I try to get it's address via GetProcAddress(), it returns address of NtdllDefWindowProcW(), which is located in ntdll.dll. There is a jump to real user32 function DefWindowProcW() at the beginning of NtdllDefWindowProcW().

Is there a way to get real procedure address instead of ntdll procedure?

1

There are 1 answers

14
David Heffernan On BEST ANSWER

This is what is known as a forwarded export. The function was implemented in user32 in earlier versions of Windows. But at some point, Microsoft decided to move it into ntdll. In order to avoid breaking application the user32 export forwards to the function named "NtdllDefWindowProc_W" in ntdll.

The forwarded address in ntdll is where the function is actually implemented. That it might subsequently call into user32 is an implementation detail. So, if you want to hook DefWindowProcW, you can perfectly well hook the address returned by your call to

GetProcAddress(GetModuleHandle("user32.dll"), "DefWindowProcW")