DWORD64 Wow64Local::GetModuleHandle64( wchar_t* lpModuleName, DWORD* pSize /*= nullptr*/ ) { DWORD64 module = 0; TEB64 teb64 = {0}; PEB64 peb64 = {0}; PEB_LDR_DATA64 ldr = {0}; getTEB64(teb64); memcpy64((DWORD64)&peb64, teb64.ProcessEnvironmentBlock, sizeof(peb64)); memcpy64((DWORD64)&ldr, peb64.Ldr, sizeof(ldr)); // Traverse 64bit modules for(DWORD64 head = ldr.InLoadOrderModuleList.Flink; head != (peb64.Ldr + FIELD_OFFSET(PEB_LDR_DATA64, InLoadOrderModuleList)); memcpy64((DWORD64)&head, (DWORD64)head, sizeof(head))) { wchar_t localbuf[512] = {0}; LDR_DATA_TABLE_ENTRY64 localdata = {0}; memcpy64((DWORD64)&localdata, head, sizeof(localdata)); memcpy64((DWORD64)localbuf, localdata.BaseDllName.Buffer, localdata.BaseDllName.Length); if (_wcsicmp(localbuf, lpModuleName) == 0) { module = localdata.DllBase; if(pSize) *pSize = localdata.SizeOfImage; break; } } return module; }
extern "C" DWORD64 __cdecl GetModuleHandle64(wchar_t* lpModuleName) { if (!g_isWow64) return 0; TEB64 teb64; getMem64(&teb64, getTEB64(), sizeof(TEB64)); PEB64 peb64; getMem64(&peb64, teb64.ProcessEnvironmentBlock, sizeof(PEB64)); PEB_LDR_DATA64 ldr; getMem64(&ldr, peb64.Ldr, sizeof(PEB_LDR_DATA64)); DWORD64 LastEntry = peb64.Ldr + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList); LDR_DATA_TABLE_ENTRY64 head; head.InLoadOrderLinks.Flink = ldr.InLoadOrderModuleList.Flink; do { getMem64(&head, head.InLoadOrderLinks.Flink, sizeof(LDR_DATA_TABLE_ENTRY64)); wchar_t* tempBuf = (wchar_t*)malloc(head.BaseDllName.MaximumLength); if (nullptr == tempBuf) return 0; WATCH(tempBuf); getMem64(tempBuf, head.BaseDllName.Buffer, head.BaseDllName.MaximumLength); if (0 == _wcsicmp(lpModuleName, tempBuf)) return head.DllBase; } while (head.InLoadOrderLinks.Flink != LastEntry); return 0; }