0

Kind of a complicated question that I can't properly summarize in the title.

I have a 64 bit process (Foo64) that creates a 32 bit child process (Bar32), then tries to get the full path of Bar32's version of kernel32.dll. Obviously I expect Bar32 to have loaded it from C:\Windows\SysWow64\kernel32.dll

On Windows 7, I call GetModuleFileNameExA() from Foo64, and correctly get "C:\Windows\SysWow64\Kernel32.dll" back.

On Windows Server 2012, the exact same code gives me back "c:\Windows\system32\kernel32.dll", which is the 64bit dll location. It's obviously not possible for Bar32 to have loaded a 64 bit dll.

My hunch is that Server 2012 is telling me the location of where Bar32 tried to load it from, rather than the actual redirected location. How can I get it to tell me the true location?

Is there something fundamental I'm misunderstanding?

I have read all of the relevant MSDN pages, and the first three pages of all relevant google searches.

Charles
  • 50,943
  • 13
  • 104
  • 142
David
  • 7,011
  • 1
  • 42
  • 38
  • Can I get this clear. The process that calls `GetModuleFileNameEx` is 64 bit in both cases. The process handle passed is of a 32 bit process in both cases. And the value returned differs between Win7 and Server 2012. Is that correct? – David Heffernan Sep 18 '13 at 18:37
  • That is correct. In both cases a 64 bit process is calling GetModuleFileNameEx, passing a handle to a 32 bit process. The source code is identical and the return values are different. – David Sep 18 '13 at 18:47
  • 2
    Hard to say which one is *right*. As far as the 32 bit process is concerned, it loaded it from system32. – David Heffernan Sep 18 '13 at 18:53
  • How are you obtaining the handle to kernel32.dll that you pass to `GetModuleFileNameEx`? – Carey Gregory Sep 18 '13 at 19:42
  • I get the kernel32.dll handle by calling EnumProcessModulesEx() with my Bar32 handle, and then iterate over the list. I call GetModuleBaseName() on each one and stricmp() it to "kernel32.dll". – David Sep 18 '13 at 19:46
  • I would suggest trying `CreateToolhelp32Snapshot` instead. Might produce the same results or might not, but what you're getting now sure looks like a bug in the function on Server 2012 (assuming your code is correct). – Carey Gregory Sep 18 '13 at 23:49
  • Interesting - so calling CreateToolhelp32Snapshot with the TH32CS_SNAPMODULE flag lists the 64 bit modules in the process, which sucessfully lists the 64-bit ntdll and syswow dlls. However, calling it with TH32CS_SNAPMODULE32 to list the 32 bit modules leaves me with an empty list of modules. Anyway, I solved the problem. I needed to know the location of kernel32.dll so I could load it in and parse the header to find the address of LoadLibraryA() for dll injection. Instead I found the base address of the dll in Bar32's address space, and used ReadProcessMemory() to copy it to Foo64's memory. – David Sep 19 '13 at 20:12

0 Answers0