一个自己写的程序,在程序里openprocess了一个notepad.exe,然后用常规的WriteProcessMemory方法写注入,总是提示加载模块失败
后来查到64位程序调用64位的DLL 32调用32的DLL
typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
BOOL IsWow64(HANDLE h)
{
BOOL bIsWow64 = FALSE;
LPFN_ISWOW64PROCESS fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle(_T("kernel32")),"IsWow64Process");
if (NULL != fnIsWow64Process)
{
//if (!fnIsWow64Process(GetCurrentProcess(),&bIsWow64))
if (!fnIsWow64Process(h,&bIsWow64))
{
// handle error
//_tprintf(_T("do fnIsWow64Process : error\r\n"));
}
}
return bIsWow64;
}
这个函数能判断进程是32还是64
后来查到64位程序调用64位的DLL 32调用32的DLL
typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
BOOL IsWow64(HANDLE h)
{
BOOL bIsWow64 = FALSE;
LPFN_ISWOW64PROCESS fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle(_T("kernel32")),"IsWow64Process");
if (NULL != fnIsWow64Process)
{
//if (!fnIsWow64Process(GetCurrentProcess(),&bIsWow64))
if (!fnIsWow64Process(h,&bIsWow64))
{
// handle error
//_tprintf(_T("do fnIsWow64Process : error\r\n"));
}
}
return bIsWow64;
}
这个函数能判断进程是32还是64
然后就OK了。。。个例。。
http://www.debugman.com/thread/6037/1/1