DWORD64 Wow64Local::GetModuleHandle64( wchar_t* lpModuleName, DWORD* pSize /*= nullptr*/ )
{
DWORD64 module = 0;
TEB64 teb64 = {0};
PEB64 peb64 = {0};
PEB_LDR_DATA64 ldr = {0};
getTEB64(teb64);
memcpy64((DWORD64)&peb64, teb64.ProcessEnvironmentBlock, sizeof(peb64));
memcpy64((DWORD64)&ldr, peb64.Ldr, sizeof(ldr));
// Traverse 64bit modules
for(DWORD64 head = ldr.InLoadOrderModuleList.Flink;
head != (peb64.Ldr + FIELD_OFFSET(PEB_LDR_DATA64, InLoadOrderModuleList));
memcpy64((DWORD64)&head, (DWORD64)head, sizeof(head)))
{
wchar_t localbuf[512] = {0};
LDR_DATA_TABLE_ENTRY64 localdata = {0};
memcpy64((DWORD64)&localdata, head, sizeof(localdata));
memcpy64((DWORD64)localbuf, localdata.BaseDllName.Buffer, localdata.BaseDllName.Length);
if (_wcsicmp(localbuf, lpModuleName) == 0)
{
module = localdata.DllBase;
if(pSize)
*pSize = localdata.SizeOfImage;
break;
}
}
return module;
}
extern "C" DWORD64 __cdecl GetModuleHandle64(wchar_t* lpModuleName)
{
if (!g_isWow64)
return 0;
TEB64 teb64;
getMem64(&teb64, getTEB64(), sizeof(TEB64));
PEB64 peb64;
getMem64(&peb64, teb64.ProcessEnvironmentBlock, sizeof(PEB64));
PEB_LDR_DATA64 ldr;
getMem64(&ldr, peb64.Ldr, sizeof(PEB_LDR_DATA64));
DWORD64 LastEntry = peb64.Ldr + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList);
LDR_DATA_TABLE_ENTRY64 head;
head.InLoadOrderLinks.Flink = ldr.InLoadOrderModuleList.Flink;
do
{
getMem64(&head, head.InLoadOrderLinks.Flink, sizeof(LDR_DATA_TABLE_ENTRY64));
wchar_t* tempBuf = (wchar_t*)malloc(head.BaseDllName.MaximumLength);
if (nullptr == tempBuf)
return 0;
WATCH(tempBuf);
getMem64(tempBuf, head.BaseDllName.Buffer, head.BaseDllName.MaximumLength);
if (0 == _wcsicmp(lpModuleName, tempBuf))
return head.DllBase;
}
while (head.InLoadOrderLinks.Flink != LastEntry);
return 0;
}
