Hi,
I'm writing a program that show the different module of a process and some data as: Image Base, Image Size...
To get the modules I use the next sentence:
invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE , ProcID
...
invoke Module32First, hSnapshot, addr me32
me32 is defined as MODULEENTRY32 and MODULEENTRY32 structure is defined as follows:
MODULEENTRY32 STRUCT
dwSize DWORD ?
th32ModuleID DWORD ?
th32ProcessID DWORD ?
GlblcntUsage DWORD ?
ProccntUsage DWORD ?
DWORD ? ; PADDING
modBaseAddr QWORD ?
modBaseSize DWORD ?
DWORD ? ; PADDING
hModule QWORD ?
szModule db MAX_MODULE_NAME32+1 dup(?)
szExePath db MAX_PATH dup(?)
DWORD ? ; PADDING
QWORD ? ; PADDING
MODULEENTRY32 ENDS
The problem is that all Imagen Address that I get is as 32 bits Pointer, for example.
If I debug my program, I can see in WinDBG that the COMCTL32.dll starts in the address: 000007FF 7F0000
And The Image Base that I get is 0000 0000 7F00 0000
Is it necessary to make something special to get he High DWORD of the address?
Maybe using another API?
GUAN
I now know that it was happen.
To translate the DQWORD (as hex number) to ASCII I was using the API wsprintf and as format "%X",0
"%X" is not work with 64 bit numbers, we make to do the translation in 2 steps High DWORD and then the Low DWORD.
GUAN
Try %I64d. Also note that old operating systems may not support printing 64-bit integers in wsprintf, there isn't even documentation about it on msdn's wsprintf page.
%I64X might be better considering his other output was in hex ;p