GetModuleHandle() cannot retrieve handle of "advapi32.dll" loaded by "notepad.exe"

Question

I am trying to get file information handled by notepad.exe.

So, my program does the following steps.

Create process for notepad.exe

CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
Wait until finish initialization of notepad.exe

WaitForInputIdle(pi.hProcess, 10000);
Attach notepad.exe process to my program as Debugee.

DebugActiveProcess(dwPID)
Wait for debug event from Debugee.
When my program receive CREATE_PROCESS_DEBUG_EVENT, doing something I need.

Here is my function having an issue.

LPVOID g_pfHookingAdd = NULL;
BOOL OnCreateProcessDebugEvent(LPDEBUG_EVENT pde)
{
    DWORD dwLastErr;
    if (NULL == GetModuleHandleA("advapi32.dll"))   // Not able to get a handle here.
    {
        dwLastErr = GetLastError(); // dwLastErr => 126 => (0x7E) 
    }
    g_pfHookingAdd = GetProcAddress(GetModuleHandleA("advapi32.dll"), "IsTextUnicode");
    return TRUE;
}

As you can see, my goal is to retrieve the address where IsTextUnicode() function is loaded.

However, when I call GetModuleHandleA("advapi32.dll"), I get error code 126, which is ERROR_MOD_NOT_FOUND.

I also checked that advapi32.dll is loaded during the notepad.exe execution.

Can anyone tell me why this is not working?

Here is my environmental conditions:

Windows 10 pro version 1803 (OS build 17134.165)

You are pretty lucky that your program did not load advapi32.dll. Goal is murky, but when you write a debugger then you need to learn how to use [the DbgHelp api](https://learn.microsoft.com/en-us/windows/desktop/debug/debug-help-library). — Hans Passant, Jul 28 '18 at 12:54
for what you need `GetModuleHandle` if you got `LOAD_DLL_DEBUG_EVENT` ? and for what you call `DebugActiveProcess` instead just create process with flag `DEBUG_ONLY_THIS_PROCESS` ? — RbMm, Jul 28 '18 at 18:12
I am trying to get a first byte data where function loaded. Actually it is my another issue to solve, when I create process with flag `DEBUG_ONLY_THIS_PROCESS` or `DEBUG_PROCESS`, I cannot get a right data from [`memcpy(&g_cpdi, &pde->u.CreateProcessInfo, sizeof(CREATE_PROCESS_DEBUG_INFO)); ReadProcessMemory(g_cpdi.hProcess, g_pfHookingAdd, &g_chOrgByte, sizeof(BYTE), NULL);`] — Lance, Jul 28 '18 at 23:20

score 1 · Accepted Answer · answered Jul 28 '18 at 12:07

1

That isn't working because GetModuleHandle() ...

Retrieves a module handle for the specified module. The module must have been loaded by the calling process.

Answers to GetModuleHandle(), for a DLL in another process might help you.

answered Jul 28 '18 at 12:07

Swordfish

12,971
3
21
43

Thank for your quick answer. So do you mean advapi32.dll is not loaded by notepad.exe directly? – Lance Jul 28 '18 at 12:40
@Lance please read my answer again. `GetoduleHanle()` fails because `advapi32.dll` is loaded by `notepad.exe` and not your program that is executing `GetModuleHandle()`. – Swordfish Jul 28 '18 at 12:49
OMG I had been totally misunderstood about GetModuleHandle. Thank you so much. – Lance Jul 28 '18 at 13:35
Good diagnosis, but it actually makes this question a duplicate of the one you found. – Ben Voigt Jul 28 '18 at 15:51
@BenVoigt well, i guess there is no harm done by answering this question albeit it is a duplicate. – Swordfish Jul 28 '18 at 15:55
Well, actually we think that linking to duplicates is better – David Heffernan Jul 28 '18 at 22:09

GetModuleHandle() cannot retrieve handle of "advapi32.dll" loaded by "notepad.exe"

1 Answers1