问题
I'm trying to do a little IAT hooking in explorer.exe. Specs: Windows 7 x64, Visual C++. I've made it to a point where I am capable of reading thunk data from any executable of my choosing except for C:\Windows\Explorer.exe. When I run my program against that I receive an access violation in reading memory from that executable. However, when I run this against C:\Windows\system32\Explorer.exe and C:\Windows\sysWOW64\Explorer.exe I don't have any problems. Why is this? Is C:\Windows\Explorer.exe some sort of symbolic link to one of the other explorer.exe's? What could be keeping me from reading this file?
回答1:
On my Windows 7 x64 system C:\windows\explorer.exe
is a 64-bit binary, PE32+
format, whereas c:\windows\syswow64\explorer.exe
is a 32-bit binary, PE32
format. Is your application designed to read both PE32
and PE32+
formats?
And when opening C:\Windows\System32\Explorer.exe
from a 32-bit process that is a redirect to the c:\windows\syswow64\explorer.exe
copy. From a 64-bit process c:\windows\system32\explorer.exe
doesn't exist.
来源:https://stackoverflow.com/questions/11712120/reading-explorer-exes-thunk-data