I am trying to get file information handled by notepad.exe.
So, my program does the following steps.
Create process for notepad.exe
CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
Wait until finish initialization of notepad.exe
WaitForInputIdle(pi.hProcess, 10000);
Attach notepad.exe process to my program as Debugee.
DebugActiveProcess(dwPID)
Wait for debug event from Debugee.
When my program receive CREATE_PROCESS_DEBUG_EVENT, doing something I need.
Here is my function having an issue.
LPVOID g_pfHookingAdd = NULL;
BOOL OnCreateProcessDebugEvent(LPDEBUG_EVENT pde)
{
DWORD dwLastErr;
if (NULL == GetModuleHandleA("advapi32.dll")) // Not able to get a handle here.
{
dwLastErr = GetLastError(); // dwLastErr => 126 => (0x7E)
}
g_pfHookingAdd = GetProcAddress(GetModuleHandleA("advapi32.dll"), "IsTextUnicode");
return TRUE;
}
As you can see, my goal is to retrieve the address where IsTextUnicode() function is loaded.
However, when I call GetModuleHandleA("advapi32.dll"), I get error code 126, which is
ERROR_MOD_NOT_FOUND.
I also checked that advapi32.dll is loaded during the notepad.exe execution.
Can anyone tell me why this is not working?
Here is my environmental conditions:
Windows 10 pro version 1803 (OS build 17134.165)
That isn't working because GetModuleHandle() ...
Retrieves a module handle for the specified module. The module must have been loaded by the calling process.
Answers to GetModuleHandle(), for a DLL in another process might help you.