load user32.dll failed at windows 7 X64(with SP1)

[MagicFuzzX]

my code: typedef BOOL (WINAPI* P_EnumWindows)( In WNDENUMPROC lpEnumFunc, In LPARAM lParam ); P_EnumWindows g_pEnumWindows = NULL;

BOOL CALLBACK EnumWndProc(HWND hWnd, LPARAM lParam) { UNREFERENCED_PARAMETER(lParam); TCHAR lpWinTitle[MAX_PATH] = {0}; ::GetWindowText(hWnd,lpWinTitle,MAX_PATH - 1); return TRUE; }

void TestReloadUser32(void) { FILE *fp; unsigned char *data=NULL; size_t size; HMEMORYMODULE handle;

fp = _tfopen(_T("c:\\windows\\system32\\user32.dll"), _T("rb"));
if (fp == NULL)
{
    _tprintf(_T("Can't open DLL file \"%s\"."), DLL_FILE);
    goto exit;
}

fseek(fp, 0, SEEK_END);
size = ftell(fp);
data = (unsigned char *)malloc(size);
fseek(fp, 0, SEEK_SET);
fread(data, 1, size, fp);
fclose(fp);

handle = MemoryLoadLibrary(data);//!!!failed
if (handle == NULL)
{
    _tprintf(_T("Can't load library from memory.\n"));
    goto exit;
}

//if commented the following code at MemoryLoadLibraryEx (line 441),
//it will crash at g_pEnumWindows(EnumWndProc,NULL) with(0xC0000005)

//ExecuteTLS(result);

//// get entry point of loaded library
//if (result->headers->OptionalHeader.AddressOfEntryPoint != 0) {
//    DllEntry = (DllEntryProc) (code + result->headers->OptionalHeader.AddressOfEntryPoint);
//    // notify library about attaching to process
//    successfull = (*DllEntry)((HINSTANCE)code, DLL_PROCESS_ATTACH, 0);
//    if (!successfull) {
//        SetLastError(ERROR_DLL_INIT_FAILED);
//        goto error;
//    }
//    result->initialized = 1;
//}
g_pEnumWindows = (P_EnumWindows)MemoryGetProcAddress(handle,"EnumWindows");
if (NULL == g_pEnumWindows)
{
    goto exit;
}
g_pEnumWindows(EnumWndProc,NULL);//here!!

exit: if (data) free(data); }