Export Forwarding
A particularly slick feature of exports is the ability to "forward" an export to
another DLL. For example, in Windows NT®, Windows® 2000, and Windows
XP, the KERNEL32 HeapAlloc function is forwarded to the RtlAllocHeap function
exported by NTDLL. Forwarding is performed at link time by a special
syntax in the EXPORTS section of the .DEF file. Using HeapAlloc as an example,
KERNEL32's DEF file would contain:
EXPORTS
•••
HeapAlloc = NTDLL.RtlAllocHeap
How can you tell if a function is forwarded rather than exported normally?
It's somewhat tricky. Normally, the EAT contains the RVA of the exported symbol.
However, if the function's RVA is inside the exports section (as given by the
VirtualAddress and Size fields in the DataDirectory), the symbol is forwarded.
When a symbol is forwarded, its RVA obviously can't be a code or data address
in the current module. Instead, the RVA points to an ASCII string of the DLL and
symbol name to which it is forwarded. In the prior example, it would be
NTDLL.RtlAllocHeap.