Probem taken the Imagen Base of a module in 64 bits

[GUAN DE DIO]

Hi,

      I'm writing a program that show the different module of a process and some data as: Image Base, Image Size...

      To get the modules I use the next sentence:

       invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE , ProcID
       ...
       invoke Module32First, hSnapshot, addr me32

       me32 is defined as MODULEENTRY32  and MODULEENTRY32 structure is defined as follows:

MODULEENTRY32 STRUCT
    dwSize            DWORD ?
    th32ModuleID   DWORD ?
    th32ProcessID   DWORD ?
    GlblcntUsage     DWORD ?
    ProccntUsage    DWORD ?
               DWORD ? ; PADDING
   modBaseAddr     QWORD ?
    modBaseSize     DWORD ?
                DWORD ? ; PADDING
    hModule           QWORD ?
    szModule          db MAX_MODULE_NAME32+1 dup(?)
    szExePath         db MAX_PATH dup(?)
                DWORD ? ; PADDING
                QWORD ? ; PADDING
MODULEENTRY32 ENDS


     The problem is that all Imagen Address that I get is as 32 bits Pointer, for example.

      If I debug my program, I can see in WinDBG that the COMCTL32.dll starts in the address: 000007FF 7F0000
   
    And The Image Base that I get is 0000 0000 7F00 0000 

    Is it necessary to make something special to get he High DWORD of the address?

   Maybe using another API?

GUAN

[GUAN DE DIO]

I now know that it was happen.

To translate the DQWORD (as hex number) to ASCII I was using the API wsprintf and as format "%X",0

"%X" is not work with 64 bit numbers,  we make to do the translation in 2 steps  High DWORD and then the Low DWORD.

GUAN

[asmftw]

Try %I64d. Also note that old operating systems may not support printing 64-bit integers in wsprintf, there isn't even documentation about it on msdn's wsprintf page.

[evlncrn8]

%I64X might be better considering his other output was in hex ;p