阅读Explorer.exe中的咚数据 [英] Reading Explorer.exe's Thunk Data
问题描述
我试图做一个小IAT挂钩Explorer.exe中。规格:Windows 7的64位时,Visual C ++。我做了它到一个地步,我能读从我选择C除外的任何可执行咚数据:\ WINDOWS \ Explorer.exe的。当我运行我的程序对,我从该可执行文件读取存储收到访问冲突。然而,当我运行这个针对C:\ WINDOWS \ SYSTEM32 \ Explorer.exe的和C:\ WINDOWS \ SYSWOW64 \ Explorer.exe的我没有任何问题。为什么是这样?是C:\ WINDOWS \ Explorer.exe的其他的Explorer.exe的之一某种象征性的联系呢?有什么可以让我从阅读这个文件?
I'm trying to do a little IAT hooking in explorer.exe. Specs: Windows 7 x64, Visual C++. I've made it to a point where I am capable of reading thunk data from any executable of my choosing except for C:\Windows\Explorer.exe. When I run my program against that I receive an access violation in reading memory from that executable. However, when I run this against C:\Windows\system32\Explorer.exe and C:\Windows\sysWOW64\Explorer.exe I don't have any problems. Why is this? Is C:\Windows\Explorer.exe some sort of symbolic link to one of the other explorer.exe's? What could be keeping me from reading this file?
推荐答案
在我的Windows 7 64位系统 C:\ WINDOWS \ explorer.exe的是一个64位二进制, PE32 + 格式,而 C:\ WINDOWS \ SysWow64资料\ Explorer.exe的是一个32位二进制, PE32 格式。是您的应用程序,旨在同时阅读 PE32 和 PE32 + 格式?
On my Windows 7 x64 system C:\windows\explorer.exe is a 64-bit binary, PE32+ format, whereas c:\windows\syswow64\explorer.exe is a 32-bit binary, PE32 format. Is your application designed to read both PE32 and PE32+ formats?
开放时 C:\ WINDOWS \ SYSTEM32 \ Explorer.exe的从32位的过程,是一个重定向到 C:\ WINDOWS \ SysWow64资料\ Explorer.exe的复制。从64位进程 C:\ WINDOWS \ SYSTEM32 \ Explorer.exe的不存在
And when opening C:\Windows\System32\Explorer.exe from a 32-bit process that is a redirect to the c:\windows\syswow64\explorer.exe copy. From a 64-bit process c:\windows\system32\explorer.exe doesn't exist.
这篇关于阅读Explorer.exe中的咚数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
