Hi all,
I have a problem hooking 32-bit dll load on 64-bit Windows. I set LoadImageNotify routine to get notifications on module load, my goal is to catch kernel32.dll load. The problem is that I ALWAYS get the same kernel32.dll imagebase, for both 64-bit and 32-bit process! While I no they should be different. The interesting thing is that at the LoadImageNotify time 64-bit kernel32.dll image is(it seems to be) mapped into 32-bit process - I can view the PE header. Later it is unmapped. Are there any ways to get right baseaddress?
Another question is: are there any ways to get list of 32-bit dlls loaded into process on 64-bit Windows?