When I search the function CoCreateInstance I get the wrong address #1445

Open
lld4dll opened this Issue Jan 30, 2017 · 3 comments

Projects

None yet

4 participants

@lld4dll
lld4dll commented Jan 30, 2017 edited

When I search the function CoCreateInstance I get the wrong address
below is the picture that show the wrong mem address

image

When I take from the symbols the address I have the right address

for reproduce the bug
attach installagent.exe on x32dbg (windows 10 32 bit)
and try to bp on CoCreateInstance

@blaquee
Contributor
blaquee commented Jan 30, 2017

What is installagent.exe?

@lld4dll
lld4dll commented Jan 31, 2017

one of the processes in windows 10

@skillax
skillax commented Feb 10, 2017

That's due to the exe-file having 'install' (or 'setup' or even 'launch') in it's filename; rename the file to test.exe and please test again, I'll bet it works fine :) This is Windows behaviour by design (inserting SHIMs), not a x64Dbg issue. kernel32.GetProcAddress gets screwed up as well ....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment