-1

I have 32bit application that running on 64bit Windows (WOW64). I need to know addresses of several WinAPI functions from kernel32.dll.

A can easily get address of functions in 32bit kernel32.dll: GetProcAddress works well.

But Windows provide different kernel32.dll for 32bit and 64bit applications (or libs mapped to the different addresses in application address space - I do not know exactly). And address of the WinAPI function in 32bit app not the same as in 64bit app.

How I can get addresses of the functions from 64bit kernel32.dll using 32bit app? I do not want to launch separate 64bit process just to know addresses of needed functions.

Victor Mezrin
  • 2,797
  • 2
  • 32
  • 48

1 Answers1

1

I don't think the question is meaningful. Because of ASLR you can only ask "what is the address of the function when the DLL is loaded into my process(*)" and you can't load a 64-bit DLL into a 32-bit process.

(*) It may be the case that the answer is currently the same for every process run after a particular boot, but I bet the API supports a different address for kernel32.dll for each process.

(Also of course, the 64-bit value is likely to be much greater than will fit in a 32-bit pointer.)

Martin Bonner supports Monica
  • 28,528
  • 3
  • 51
  • 88
  • kernel32 is not subject to ASLR. It has the same base address system wide: http://www.nynaeve.net/?p=198 – David Heffernan Dec 21 '15 at 13:00
  • Agreed, but my point was the GetProcAddress API (and similar) won't expose that detail. The "same base address system wide" was what I was trying to say with "the same for every process run after a particular boot". – Martin Bonner supports Monica Dec 21 '15 at 13:16