2

I have been searching for a while and didnt find an appropriate answer for the following problem:

I'm injecting a dll into a target process while inside the dll, I try to call an exported function which address I want to receive my calling GetProcAddress as followed:

FARPROC funcAddr =
GetProcAddress(GetModuleHandle("target.dll"), "exportedFunc")

The call succeeds, I retrieve the address and the GetLastError() is 0, obviously.

But it is just the 16-byte hexadecimal representation of the address (like "0xAB4285B9"), but I need it for 32-byte hexadecimal representation since I am missing the previous 8 bytes (7FF8 for example, complete address would then be "0x7FF8AB4285B9")

Is it just a presentation/format Problem or do I need to call another function to get what I want?

I display the information like:

WCHAR buffer[256];
swprintf_s(buffer, 32, L"%X", funcAddr);
MessageBox(NULL, buffer, L"Address", MB_OK);

I appreciate any help.

Sorry for non-code formattings, I'm using my phone's web browser here.

Greetz

Trickzter
  • 471
  • 3
  • 14
  • 2
    In WIndows a `long` is always 32 bits, even in 64-bit Windows. Why not ask for a pointer value presentation. Anyway, when you're confused about bits versus bytes, as you appear to be, then DLL injection is not something you can master. Just a heads up. It can be fun to explore though. :) – Cheers and hth. - Alf Jun 07 '16 at 09:21
  • Sorry, I meant an `int` is always 32 bits. But it's true (albeit irrelevant) as I wrote that a `long` is always 32-bits. Didn't look closely enough at that format string. – Cheers and hth. - Alf Jun 07 '16 at 09:29
  • First I didn't know what u wanted to say about size of long or int, but you took me to the point finding the definition of "typedef int (FAR WINAPI *FARPROC)();" and I understand the diffference between bits and bytes, no problem so far. I just didnt notice FARPROC being a function pointer with the size of an integer. I appreciate your hint. – Trickzter Jun 07 '16 at 10:32
  • But since the method "GetProcAddress" always returns a FARPROC, which is size of an integer as we know now, how can I be able to get the address then? Do I need to call another method for that? – Trickzter Jun 07 '16 at 10:38
  • 2
    `FARPROC `is a pointer. For a 64-bit Windows app that's 64 bits. It's not the size of an `int`, which is just 32 bits. The format specification `L"X"` tells `swprintf` that you're supplying a 32-bit `int` argument, which you want the uppercase hexadecimal representation of. So it uses just 32 bits of the actual 64-bit pointer value you supply. Anyway, note that on other systems `int` can be 64 bits. The lower bound is 16 bits. – Cheers and hth. - Alf Jun 07 '16 at 10:44

1 Answers1

0

Alright since I read a little bit deeper into the topic I understood and changed my solution in order to make it working properly (special thanks to @cheers and hth):

WCHAR buffer[256];
swprintf_s(buffer, 32, L"%p", funcAddr);
MessageBox(NULL, buffer, L"Address", MB_OK);

By simply changing format of "%X" to "%p" which represents pointer address representation. Simple as that.

Trickzter
  • 471
  • 3
  • 14