Getting virtual address of PE header in memory
So generally, people say that all you have to do to get the PE header
address is sth. like this:
IMAGE_DOS_HEADER* IDH = (IMAGE_DOS_HEADER*)GetModuleHandle(NULL);
IMAGE_NT_HEADERS * INT = (IMAGE_NT_HEADERS *)((int *)IDH +
(int)IDH.e_lfanew);
However, after several hours of thinking why it doesn't work for me, I
realized that I additionally need to divide IDH.e_lfanew by 4. So I get
the correct pointer to IMAGE_NT_HEADER struct only in this way:
IMAGE_NT_HEADERS * INT = (IMAGE_NT_HEADERS *)((int *)IDH +
(int)(IDH.e_lfanew/4));
Could somebody explain to me why do I need to divide it? My OS is Windows
8 64 bit. Maybe my version of windows is the reason? Anyway, I would be
very grateful for any guidance!
No comments:
Post a Comment