GetCallingModule bug?

c++ / delphi package - dll injection and api hooking
Post Reply
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

GetCallingModule bug?

Post by iconic »

Code: Select all

program blah;

{$APPTYPE CONSOLE}

uses
  Windows, SysUtils, madCodeHook;

begin
  WriteLn('GetCallingModule(): 0x' + IntToHex(GetCallingModule(), 8));
  ReadLn;
end.
The address returned in my case is always 0x7C800000 (kernel32.dll) when it should be 0x00400000 by default since I didn't manually set the imagebase. A strange console application bug with this function? My own GetCallingModule version in my hook library returns the correct base, this is how I noticed the difference. I validate EBP - 4 first then if it's invalid use EBP + 4 to get the return address. I take it you're probably looking at the stack layout to determine calling conventions at run-time in your version? If I place the same call to GetCallingModule() in a separate function I get the correct result, perhaps this is just merely a stackframe issue?

I'm using mch 2.x by the way.

--Iconic
Post Reply