C0D3-M4513R
commented
2 years ago Actually this should also happen on a x64 injector into a x86 process. Thank you for this report. I guess this happened because of an assumption of get_dll_export. I did a change, that will hopefully fix this. If there are no complications I will merge this some time tomorrow and release as v. 0.3.2
When target process is under WOW, the path of kernel32.dll is "c:\windows\system32\kernel32.dll", which is fake path. The real path is "c:\windows\sysWOW64\kernel32.dll". And if the domain process is under WOW too, the entry_point will point to the export function of "c:\windows\sysnative\kernel32.dll". The real path is "c:\windows\system32\kernel32.dll". So there is a bug.