Hey, seems that your Hook Analyzer 3.3 process is not x86-64 aware when opening the respective image files for a process.
I externally opened notepad.exe, then choose to open and hook into a process (I pressed "2" on the welcome screen of Hook Analyzer) and entered the notepad.exe PID as told.
Next I got some extensive analysis results. However, the shown base address of the notepad.exe file did not seem to be the standard one for PE32+ (0x140000000).
Then I did a test and renamed the notepad.exe file in the \SystemRoot\SysWoW64\ directory.
I fired up Hook Analyzer 3.3 again and retried to open and hook into the newly started 64-bits notepad.exe.
This is what I got while the 64-bits notepad.exe was running perfectly fine:
Code: Select all
[*] Welcome to interactive mode
[!] Displaying Modules for the process - 15292
[*] Process path is :c:\windows\system32\notepad.exe[+] Parsing the log files for high level summary
[!] Program exited
[+] Parsing the log files for high level summary
[+] Extracting any potential IP address
In the log wasn't written more information.
You are likely redirected to SysWow64 directory.
Test system was a Windows 10 10586.103, x64 machine. The same test was conducted with another file in x64 mode.
I tested another file copied to the native System32\ as well, and the result was the same.
The analysis was completing successfully if the process image file was not located in the native \SystemRoot\System32\ directory.
The option to spawn and hook into a process (pressing "1") does only open the correct file if I enter "C:\Windows\sysnative\notepad.exe".