Hello again!

I am having difficulties in obtaining addresses of kernel32.dll API functions in WinXP by using the GetProcAddress func. I had no problems with wsock32.dll though. The problem is that the functions return weird addresses for "kernel32.dll" like 0x003a2f5a for CreateFileA and so on. All returned addressess start with 0x003axxxx. The addressess are of course not true as my CreateFileA address is 0x77e7b476.

Do you know how it is possible to obtain correct addressess? Here is my code in C++:



HMODULE hKernel32Module = LoadLibrary( "kernel32.dll" );
DWORD _CreateFileA = (DWORD)GetProcAddress( hKernel32Module, "CreateFileA" );
DWORD _SetFilePointer = (DWORD)GetProcAddress( hKernel32Module, "SetFilePointer" );
DWORD _WriteFile = (DWORD)GetProcAddress( hKernel32Module, "WriteFile" );
DWORD _CloseHandle = (DWORD)GetProcAddress( hKernel32Module, "CloseHandle" );
FreeLibrary( hKernel32Module );
Posted on 2004-04-14 09:11:14 by blackd0t
sounds like something is hooking those api's in your program then..
Posted on 2004-04-14 09:44:16 by evlncrn8
Not possible...
Posted on 2004-04-14 09:48:40 by blackd0t
This sounds pretty weird... I did a quick olly of your code, and I get the usual 0x77xxxxxx range for all the imports on my XP SP1 + latest updates.

Have you looked what is at those 0x003a2f5a etc locations?
Posted on 2004-04-14 10:13:14 by f0dder
Hmm, I wrote a simple code in masm and it seems that I am having problems only in VC++ :(. Maybe there is some compiler option that spoils the return addresses?
Posted on 2004-04-14 11:27:04 by blackd0t
Hmm. I compiled with standard settings, "cl /c test.c", linked with subsystem:windows, entry:entry32, and nodefaultlib. Ran the code in Olly, I got the right import addresses.

How are you displaying the values? How are you debugging?
Posted on 2004-04-14 11:46:51 by f0dder
Or maybe your dwords are local variables?
Posted on 2004-04-14 11:47:29 by roticv
perhabs with VC you should turn off debugging options to get proper results.
Posted on 2004-04-14 12:05:23 by japheth
If you change your value from DWORD to void* you will get correct result



HMODULE hKernel32Module = LoadLibrary( "kernel32.dll" );
void* _CreateFileA = GetProcAddress( hKernel32Module, "CreateFileA" );
char buffer[256];
wsprintf(buffer, "%x", _CreateFileA);
MessageBox(0, buffer, "Test", 0);
Posted on 2004-04-14 12:55:41 by greenant
dword didn't cause any problems for me... but the way you display the value can change things. Ie, if the parameter to wsprintf is "&_CreateFileA" instead of "_CreateFileA", you will get the adress of the variable instead of the import...
Posted on 2004-04-14 13:36:12 by f0dder
When I create a new project and paste the code everything works fine :(. I have no idea why in the other project there are problems with kernel32.dll :(.

I put this code at the start of the program and it still doesn't work properly. I compared the project settings with the newly created project where the code actually works and it is all the same :(.

I really don't know what may be the problem... I think the best way to find out is to create this new project and start trasporting .cpp and .h files to it :).
Posted on 2004-04-14 13:40:42 by blackd0t
Can you attach a zipped exe that shows the problem?
Posted on 2004-04-14 13:43:31 by f0dder
Ok, I did what I wrote in my previous post and everything works fine now :). Weird things tend to happen sometimes... still I'm a bit anxious what the problem was :).
Posted on 2004-04-14 14:01:25 by blackd0t