N
NT_pro
Guest
I am using the following code to locate kernel32.dll in a 32-bit process.
The following code is compiled as x64.
auto process = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, 24108);
DWORD neededBytes;
auto res = EnumProcessModulesEx(process, nullptr, 0, &neededBytes, LIST_MODULES_32BIT);
auto modules = new HMODULE[neededBytes / sizeof HMODULE];
res = EnumProcessModulesEx(process, modules, neededBytes, &neededBytes, LIST_MODULES_32BIT);
WCHAR name[256]{0};
DWORD i;
for (i=0; i < neededBytes / sizeof HMODULE; ++i)
{
GetModuleBaseNameW(process, modules, name, sizeof name / sizeof WCHAR);
if (_wcsicmp(L"kernel32.dll", name) == 0)
{
GetModuleFileNameExW(process, modules, name, sizeof name / sizeof WCHAR);
wprintf(L"%s\n\n", name);
break;
}
}
CloseHandle(process);
The output is
C:\Windows\System32\kernel32.dll
But it is supposed to be
C:\Windows\SysWOW64\kernel32.dll
This code used to work on Windows 7 but is now broken when it is run on Windows 10. How do I get a fix?
Continue reading...
The following code is compiled as x64.
auto process = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, 24108);
DWORD neededBytes;
auto res = EnumProcessModulesEx(process, nullptr, 0, &neededBytes, LIST_MODULES_32BIT);
auto modules = new HMODULE[neededBytes / sizeof HMODULE];
res = EnumProcessModulesEx(process, modules, neededBytes, &neededBytes, LIST_MODULES_32BIT);
WCHAR name[256]{0};
DWORD i;
for (i=0; i < neededBytes / sizeof HMODULE; ++i)
{
GetModuleBaseNameW(process, modules, name, sizeof name / sizeof WCHAR);
if (_wcsicmp(L"kernel32.dll", name) == 0)
{
GetModuleFileNameExW(process, modules, name, sizeof name / sizeof WCHAR);
wprintf(L"%s\n\n", name);
break;
}
}
CloseHandle(process);
The output is
C:\Windows\System32\kernel32.dll
But it is supposed to be
C:\Windows\SysWOW64\kernel32.dll
This code used to work on Windows 7 but is now broken when it is run on Windows 10. How do I get a fix?
Continue reading...