I'm trying to do a little IAT hooking in explorer.exe. Specs: Windows 7 x64, Visual C++. I've made it to a point where I am capable of reading thunk data from any executable of my choosing except for C:\Windows\Explorer.exe. When I run my program against that I receive an access violation in reading memory from that executable. However, when I run this against C:\Windows\system32\Explorer.exe and C:\Windows\sysWOW64\Explorer.exe I don't have any problems. Why is this? Is C:\Windows\Explorer.exe some sort of symbolic link to one of the other explorer.exe's? What could be keeping me from reading this file?
Asked
Active
Viewed 703 times
1 Answers
1
On my Windows 7 x64 system C:\windows\explorer.exe is a 64-bit binary, PE32+ format, whereas c:\windows\syswow64\explorer.exe is a 32-bit binary, PE32 format. Is your application designed to read both PE32 and PE32+ formats?
And when opening C:\Windows\System32\Explorer.exe from a 32-bit process that is a redirect to the c:\windows\syswow64\explorer.exe copy. From a 64-bit process c:\windows\system32\explorer.exe doesn't exist.
jcopenha
- 3,935
- 1
- 17
- 15
-
Firstly, awesome info. My process does not take into account PE32+ formatting. At a quick glance, it appears to be easy enough to change all of the IMAGE_HEADER structs to the 64 bit format. Are you implying that I need to compile my program for x64 in order to read C:\windows\explorer.exe or just make changes to support the PE32+ formatting? – user850275 Jul 29 '12 at 20:08
-
It depends on what your program is doing. If you just want to parse PE32+ format a 32-bit binary will be fine. However you say IAT Hooking, this implies injecting your own code into a process. In which case the architecture of the code you inject needs to match the architecture of the process that is running. So 32-bit code for a 32-bit process and 64-bit code for a 64-bit process. – jcopenha Jul 29 '12 at 20:23