    Jun 2018

    Little question

    Hello guys, I was testing something when a doubt arose.

    What's the difference beetween this two codes:

    First one:
    PIMAGE_DOS_HEADER DOSHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(GetModuleHandle(nullptr));
        PIMAGE_NT_HEADERS NTHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(DOSHeader + DOSHeader->e_lfanew);
    Seconde one:
        PIMAGE_DOS_HEADER DOSHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(GetModuleHandle(nullptr));
        PIMAGE_NT_HEADERS NTHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>((BYTE*)DOSHeader + DOSHeader->e_lfanew);
    The second one worked and the first one doesnt, why? When I will see fields of first one it's irregular, not the correct as the second one.


    Oct 2003
    * moved to Windows programming *

    You would need to read up on what exactly is PIMAGE_DOS_HEADER, but it presumably is a pointer to a struct (since your first line involves a reinterpret cast of a "handle", which typically is a pointer to something). Therefore, in order to skip a number of bytes corresponding to the first part of the struct to get to what is equivalent to the PIMAGE_NT_HEADERS portion, you need to cast that to a pointer to BYTE so that the pointer arithmetic would work.
    Quote Originally Posted by Bjarne Stroustrup (2000-10-14)
    I get maybe two dozen requests for help with some sort of programming or design problem every day. Most have more sense than to send me hundreds of lines of code. If they do, I ask them to find the smallest example that exhibits the problem and send me that. Mostly, they then find the error themselves. "Finding the smallest program that demonstrates the error" is a powerful debugging tool.
    Look up a C++ Reference

    Feb 2019
    @Julimar, are you sure converting a HMODULE to a pointer is correct? In Windows API a HANDLE isn't an address and GetModuleHandle(NULL) will return the current executable instance handle...

    Assuming this would work (I think it doesn't!), DosHeader is a pointer to _IMAGE_DOS_HEADER, which is a structure. As @laserlight explained, when you add or subtracts an offset from a pointer, the compiler will multiply the size of the pointed type to the offset... The pointer DosHeader+DosHeader->e_lfanew is the same as (BYTE *)DosHeader+sizeof(_IMAGE_DOS_HEADER)*DosHeader->e_lfanew.

