Accessing contents of char** on a windows x64 cause exception

Question

The following piece of code is causing an exception on a windows vista x64 and i can't figure why.

size_t pBaseAddr;
char *lpszFuncName;
IMAGE_EXPORT_DIRECTORY *pExportDir;
const char **lpszNames;
unsigned int dwIndex;

lpszNames  = ((const char **)(pBaseAddr + pExportDir->AddressOfNames));
if(lpszNames == NULL)
  return NULL;

for(dwIndex = 0; dwIndex < pExportDir->NumberOfFunctions; dwIndex++)
{ 
   if(strcmp((char *)(pBaseAddr + lpszNames[dwIndex]), lpszFuncName) == 0)
       return Something;
}

The problem, i think, is on the strcmp() line, specifically on lpszNames[dwIndex]. It works on 32 bits but on 64 it crashes with a access violation. if you want to see the whole code check my previous question

EDIT: since people didn't look at the link i posted on the question I will post the entire code from the original question.

// Retrieve NT header from base address.
IMAGE_NT_HEADERS *GetNtHeaderFromBase( void *pBaseAddr )
{
 IMAGE_DOS_HEADER       *pDosHeader;
 IMAGE_NT_HEADERS       *pNtHeaders;

 pDosHeader = ((IMAGE_DOS_HEADER *)pBaseAddr);
 if(pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
  return NULL;

 pNtHeaders = ((IMAGE_NT_HEADERS *)((DWORD)pBaseAddr + pDosHeader->e_lfanew));
 if(pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
  return NULL;

 return ((pNtHeaders == NULL) ? NULL : pNtHeaders);
}


// This emulates GetProcAddress.
void *GetFuncAddr( size_t pBaseAddr, char *lpszFuncName ) 
{
 IMAGE_NT_HEADERS       *pNtHeaders;
 IMAGE_DATA_DIRECTORY   *pDataDir;
 IMAGE_EXPORT_DIRECTORY *pExportDir;
 const char      **lpszNames;
 size_t       *lpdwFuncs, dwIndex;

 pNtHeaders = GetNtHeaderFromBase((void *)pBaseAddr);
 if(pNtHeaders == NULL)
  return NULL;

 pDataDir = ((IMAGE_DATA_DIRECTORY *)(pNtHeaders->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT));
 if(pDataDir == NULL)
  return NULL;

 pExportDir = ((IMAGE_EXPORT_DIRECTORY *)(pBaseAddr + pDataDir->VirtualAddress));
 if(pExportDir == NULL)
  return NULL;

 lpdwFuncs  = ((size_t *)(pBaseAddr + pExportDir->AddressOfFunctions));
 lpszNames  = ((const char **)(pBaseAddr + pExportDir->AddressOfNames));
 if(lpdwFuncs == NULL || lpszNames == NULL)
  return NULL;

 for(dwIndex = 0; dwIndex < pExportDir->NumberOfFunctions; dwIndex++)
 { 
  // decrypt funcname and get the address
  if(strcmp((char *)(pBaseAddr + lpszNames[dwIndex]), lpszFuncName) == 0)
   return (void*)(pBaseAddr + lpdwFuncs[dwIndex]);
 }

 return NULL;
}

EDIT2: NO, i am NOT using DWORD.

Answer 1

An access violation means that you're probably trying to dereference a null pointer in the lpszNames array.

lpszNames[dwIndex] is returning a char *, that probably is not pointing to valid data.

Can you verify that lpszNames[dwIndex] does not return null?

Actually, it may not even have to be null, it could just be an address defined as in 'protected' memory.

Answer 2

pNtHeaders = ((IMAGE_NT_HEADERS *)((DWORD)pBaseAddr + pDosHeader->e_lfanew));
if(pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
 return NULL;

You are casting a pointer to DWORD. This is not safe on 64-bit systems where a DWORD is half the size of a pointer. I'm not sure if this is the root of your problems, but it's definitely unsafe.

Answer 3

void GetFuncAddr(HMODULE hBaseAddr, char *pFuncName) 
{
    unsigned int count = 1;
    IMAGE_DOS_HEADER *pDosHeader;
    IMAGE_NT_HEADERS *pNtHeaders;
    IMAGE_OPTIONAL_HEADER *pOptionalHeader;
    IMAGE_DATA_DIRECTORY *pDataDirectory;
    IMAGE_pExpORT_DIRECTORY *pExp;
    ULONG * addrofnames;
    char *funcname;
    ULONG *funcaddr;

    pDosHeader = (IMAGE_DOS_HEADER *)hBaseAddr; 

    if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE) 
    { 
     return NULL;
    } 

    pNtHeaders = (IMAGE_NT_HEADERS *)(((BYTE *)pDosHeader) + pDosHeader->e_lfanew); 

    if (pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
    { 
     return NULL;
    } 

    pOptionalHeader = &pNtHeaders->pOptionalHeader; 
    pDataDirectory = &pOptionalHeader->pDataDirectory[IMAGE_DIRECTORY_ENTRY_pExpORT]; 

    pExp = (IMAGE_pExpORT_DIRECTORY *)((size_t)pDosHeader + pDataDirectory->VirtualAddress); 

    addrofnames = (ULONG *)((BYTE*) hBaseAddr + pExp->addrofnames);
    funcaddr = (ULONG*) ((BYTE*) hBaseAddr + pExp->AddressOfFunctions);

    for(count = 0; count < pExp->NumberOfNames; count++)
    {
     funcname = (char*)((BYTE*) hBaseAddr + addrofnames[count]);  
     if(strcmp(funcname, pFuncName) == 0)
     { 
      return (void*)((BYTE*) hBaseAddr + funcaddr[count]);
     }
    }

    return NULL;
}