program blah;
{$APPTYPE CONSOLE}
uses
Windows, SysUtils, madCodeHook;
begin
WriteLn('GetCallingModule(): 0x' + IntToHex(GetCallingModule(), 8));
ReadLn;
end.
The address returned in my case is always 0x7C800000 (kernel32.dll) when it should be 0x00400000 by default since I didn't manually set the imagebase. A strange console application bug with this function? My own GetCallingModule version in my hook library returns the correct base, this is how I noticed the difference. I validate EBP - 4 first then if it's invalid use EBP + 4 to get the return address. I take it you're probably looking at the stack layout to determine calling conventions at run-time in your version? If I place the same call to GetCallingModule() in a separate function I get the correct result, perhaps this is just merely a stackframe issue?