{"id":43433,"date":"2014-12-10T07:00:00","date_gmt":"2014-12-10T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2014\/12\/10\/if-you-get-a-procedure-address-by-ordinal-you-had-better-be-absolutely-sure-its-there-because-the-failure-mode-is-usually-indistinguishable-from-success\/"},"modified":"2014-12-10T07:00:00","modified_gmt":"2014-12-10T07:00:00","slug":"if-you-get-a-procedure-address-by-ordinal-you-had-better-be-absolutely-sure-its-there-because-the-failure-mode-is-usually-indistinguishable-from-success","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20141210-00\/?p=43433","title":{"rendered":"If you get a procedure address by ordinal, you had better be absolutely sure it's there, because the failure mode is usually indistinguishable from success"},"content":{"rendered":"

\nA customer reported that the Get­Proc­Address<\/code>\nfunction was behaving strangely.\n<\/p>\n

\n

\nWe have this code in one of our tests:\n<\/p>\n

\ntypedef int (CALLBACK *T_FOO)(int);\nvoid TestFunctionFoo(HINSTANCE hDLL)\n{\n  \/\/ Function Foo is ordinal 1 in our DLL\n  T_FOO pfnFoo = (T_FOO)GetProcAddress(hDLL, (PCSTR)1);\n  if (pfnFoo) {\n    ... run tests on pfnFoo ...\n  }\n}\n<\/pre>\n
\nRecently, this test started failing in bizarre ways.\nWhen we stepped through the code, we discovered that\npfnFoo<\/code> ends up calling\nBar<\/code> instead of Foo<\/code>.\nThe first time we try to test pfnFoo<\/code>,\nwe get stack corruption because\nBar<\/code> has a different function prototype\nfrom\nFoo<\/code>,\nand of course on top of that the test fails horribly because\nit’s calling the wrong function!\n<\/p>\n
\nWhen trying to narrow the problem, we found that the issue\nbegan when the test was run against a version of the DLL\nthat was missing the Foo<\/code> function entirely.\nThe line\n<\/p>\n
\n    Foo @1\n<\/pre>\n
\nwas removed from the DEF file.\nWhy did the call to\nGet­Proc­Address<\/code> succeed and return the wrong\nfunction?\nWe expected it to fail.\n<\/p>\n<\/blockquote>\n
\nLet’s first consider the case where a DLL exports no functions\nby ordinal.\n<\/p>\n
\nEXPORTS\n    Foo\n    Bar\n    Plugh<\/a>\n<\/pre>\n
\nThe linker builds a list of\nall the exported functions (in an unspecified order)\nand fills in two arrays based on that list.\nIf you look in the DLL image, you’ll see something like this:\n<\/p>\n
\nExported Function Table\n00049180 address of Bar\n00049184 address of Foo\n0004918C address of Plugh\nExported Names\n00049190 address of the string \"Bar\"\n00049194 address of the string \"Foo\"\n00049198 address of the string \"Plugh\"\n<\/pre>\n
\nThere are two parallel arrays,\none with function addresses and one with function names.\nThe string \"Bar\"<\/code> is the first entry in the\nexported names table,\nand the function Bar<\/code> is the first entry in the\nexported function table.\nIn general, the string in the\nN<\/var>th entry in the exported names table\ncorresponds to the function in the\nN<\/var>th entry of the exported function table.\n<\/p>\n
\nSince it is only the relative position that matters, let’s replace\nthe addresses with indices.\n<\/p>\n
\nExported Function Table\n[1] address of Bar\n[2] address of Foo\n[3] address of Plugh\nExported Names\n[1] address of the string \"Bar\"\n[2] address of the string \"Foo\"\n[3] address of the string \"Plugh\"\n<\/pre>\n
\nOkay, now let’s introduce functions exported by ordinal.\nWhen you do that, you’re telling the linker,\n“Make sure this function goes into the NN<\/var>th slot in the exported\nfunction table.”\nSuppose your DEF file went like this:\n<\/p>\n
\nEXPORTS\n    Foo @1\n    Bar\n    Plugh\n<\/pre>\n
\nThis says “First thing we do<\/a>\nis put Foo<\/code> in slot 1.\nOnce that’s done, fill in the rest arbitrarily.”\n<\/p>\n
\nThe linker says,\n“Okay, I have a total of three functions, so let me build two tables\nwith three entries each.”\n<\/p>\n
\nExported Function Table\n[1] address of ?\n[2] address of ?\n[3] address of ?\nExported Names\n[1] address of ?\n[2] address of ?\n[3] address of ?\n<\/pre>\n
\n“Now I place Foo<\/code> in slot 1.”\n<\/p>\n
\nExported Function Table\n[1] address of Foo\n[2] address of ?\n[3] address of ?\nExported Names\n[1] address of the string \"Foo\"\n[2] address of ?\n[3] address of ?\n<\/pre>\n
\n“Now I fill in the rest arbitrarily.”\n<\/p>\n
\nExported Function Table\n[1] address of Foo\n[2] address of Bar\n[3] address of Plugh\nExported Names\n[1] address of the string \"Foo\"\n[2] address of the string \"Bar\"\n[3] address of the string \"Plugh\"\n<\/pre>\n
\nSince you explicitly placed Foo<\/code> in slot 1,\nwhen you do a\nGet­Proc­Address(hDLL, 1)<\/code>,\nyou will get\nFoo<\/code>.\nOn the other hand, if you do a\nGet­Proc­Address(hDLL, 2)<\/code>,\nyou will get Bar<\/code>,\nor at least you will with this build.\nWith the next build, you may get something else,\nbecause the linker just fills in the slots arbitrarily,\nand next time, it may choose to fill them arbitrarily\nin some other order.\nFurthermore,\nif you do a\nGet­Proc­Address(hDLL, 6)<\/code>,\nyou will get NULL<\/code> because the table\nhas only three functions in it.\n<\/p>\n
\nI hope you see where this is going.\n<\/p>\n
\nIf you delete Foo<\/code> from the EXPORTS<\/code>\nsection,\nthis stops exporting Foo<\/code> but says nothing about\nwhat goes into slot 1.\nAs a result, the linker is free to put anything it wants into that slot.\n<\/p>\n
\nExported Function Table\n[1] address of Bar\n[2] address of Plugh\nExported Names\n[1] address of the string \"Bar\"\n[2] address of the string \"Plugh\"\n<\/pre>\n
\nNow, when you do a\nGet­Proc­Address(hDLL, 1)<\/code>,\nyou get Bar<\/code>,\nsince that’s the function that happened to fall into slot 1\nthis time.\n<\/p>\n
\nThe moral of the story is that if you try to obtain a function\nby ordinal,\nthen it had better be there,\nbecause there is no reliable way of being sure that the function\nyou got is one that was explicitly placed there,\nas opposed to some other function that happened to be assigned that\nslot arbitrarily.\n<\/p>\n
\nRelated reading<\/b>:\n\nHow are DLL functions exported in 32-bit Windows?<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
A customer reported that the Get­Proc­Address function was behaving strangely. We have this code in one of our tests: typedef int (CALLBACK *T_FOO)(int); void TestFunctionFoo(HINSTANCE hDLL) { \/\/ Function Foo is ordinal 1 in our DLL T_FOO pfnFoo = (T_FOO)GetProcAddress(hDLL, (PCSTR)1); if (pfnFoo) { … run tests on pfnFoo … } } Recently, this test […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-43433","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
A customer reported that the Get­Proc­Address function was behaving strangely. We have this code in one of our tests: typedef int (CALLBACK *T_FOO)(int); void TestFunctionFoo(HINSTANCE hDLL) { \/\/ Function Foo is ordinal 1 in our DLL T_FOO pfnFoo = (T_FOO)GetProcAddress(hDLL, (PCSTR)1); if (pfnFoo) { … run tests on pfnFoo … } } Recently, this test […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/43433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=43433"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/43433\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=43433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=43433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=43433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}