Get Api name from address

[ragdog]

Hi

I coding a function to Get Api name from address.

Now I am confused in my Iat have i this Address 74A44619

00403000   .  19467574  	DD comctl32.InitCommonControls

Ok i enum all process modules und parsing all found dll for this address for get the api name

I use LoadLibrary and GetProcAddress

with LoadLibrary and GetProcAddress get i this address 75AB1739 to the APi InitCommonControls Why?

I use Win7

Thanks,

Edited March 28, 2011 by ragdog

[kao]

Check the full path for comctl32.dll in each process. Most likely your applications are using different versions of comctl32.dll (see http://msdn.microsoft.com/en-us/library/bb773175(VS.85).aspx )

[ragdog]

Check the full path for comctl32.dll in each process. Most likely your applications are using different versions of comctl32.dll (see http://msdn.microsof...175(VS.85).aspx )

I have found the bug this works only have i add a Manifest.xml

Why this?

[ghandi]

http://blogs.msdn.com/b/rchiodo/archive/2007/04/09/the-next-level-of-dll-hell-sxs.aspx

But aside from the SxS issue, Vista and 7 use ASLR by default and trying to take addresses from system dlls such as Kernel32.dll in your process and applying them to another process is not guaranteed to work at all.

/>http://en.wikipedia.org/wiki/Address_space_layout_randomization

Use Module32First/Module32Next to find the dll in the target process, then do one of the following:

1. Use LoadLibrary to load the target dll into your own process and call GetProcAddress, subtract the local base address and apply the remote one.

Hackish, but it has worked for me.

2. Dump dll from remote process and navigate exports directory to locate API in remote process. More complicated but accurate.

HR,

Ghandi