Windows xp 32bits d3d9.dll vs Windows 7 64bits d3d9.dll

Question

I have issue to do code cave for my hack.

windows xp 32bits d3d9.dll runtime return addresses

4fe50000 (base address)
4fe58840 (drawindexedprimitive virtual table address)
4fe571b0 (endscene virtual table address)

windows 7 64bits d3d9.dll runtime return addresses

72c30000 (base address)
72c5b6b1 (drawindexedprimitive virtual table address)
72c5279f (endscene virtual table address)

if you look at it carefully, the size seems different.

well, I even tried to debug this => "windows 7 x64's c:\\windows\\syswow64\\d3d9.dll", it returns the different address 5e1cxxxx

I am not sure what did I miss. But returns as "72c30000", I can assure it is 32bits d3d9.dll

Any explanation?

Answer 1

DirectX is an integral part of Windows these days. In particular Aero depends on it, d3d9.dll is pre-installed. So the simple explanation is that the addresses are different because the DLLs are different. Something you can easily see by looking at the Properties + Details tab in Windows Explorer. Note the different file versions.

There's no scenario where you can count on consistent addresses for functions across different Windows versions. Or for that matter on one version, a security patch or service pack will alter addresses. Or for that matter on one specific file version, the Address Space Layout Randomization feature was specifically designed to stop you from what you are trying to do.