I’m trying to do a little IAT hooking in explorer.exe. Specs: Windows 7 x64, Visual C++. I’ve made it to a point where I am capable of reading thunk data from any executable of my choosing except for C:\Windows\Explorer.exe. When I run my program against that I receive an access violation in reading memory from that executable. However, when I run this against C:\Windows\system32\Explorer.exe and C:\Windows\sysWOW64\Explorer.exe I don’t have any problems. Why is this? Is C:\Windows\Explorer.exe some sort of symbolic link to one of the other explorer.exe’s? What could be keeping me from reading this file?
Share
On my Windows 7 x64 system
C:\windows\explorer.exeis a 64-bit binary,PE32+format, whereasc:\windows\syswow64\explorer.exeis a 32-bit binary,PE32format. Is your application designed to read bothPE32andPE32+formats?And when opening
C:\Windows\System32\Explorer.exefrom a 32-bit process that is a redirect to thec:\windows\syswow64\explorer.execopy. From a 64-bit processc:\windows\system32\explorer.exedoesn’t exist.