You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There's currently an issue with the way Windows process modules are found where If you attempt to get the modules loaded into an x86 process from an x64 program you are only presented with Ntdll.dll + the Wow64 dll's, which aren't the only modules loaded.
The current method that is being used is EnumProcessModules from psapi.dll - Whilst I don't know what this function is doing internally I'm guessing it's only querying the x64 PEB (if the process is running under Wow64) and therefore only returning the x64 dll's that are loaded in the process.
Something like this could be used to get a full list of modules (both x86 and x64) loaded in a process which you get then use the BaseAddress / ModuleHandle to get the rest of the information you need like is done in the ProcessManger.Win32 class.
[DllImport("kernel32.dll", SetLastError =true)]internalstaticextern IntPtr CreateToolhelp32Snapshot(SnapshotFlagsflags,uintprocessId);[DllImport("kernel32.dll", SetLastError =true)]internalstaticexternboolModule32First(IntPtrsnapshotHandle,IntPtrmoduleEntry);[DllImport("kernel32.dll", SetLastError =true)]internalstaticexternboolModule32Next(IntPtrsnapshotHandle,IntPtrmoduleEntry);[Flags]internalenumSnapshotFlags{Module=0x08,Module32=0x010}[StructLayout(LayoutKind.Sequential)]internalstructModuleEntry{internaluintSize;privatereadonlyuintModuleId;privatereadonlyuintProcessId;privatereadonlyuintUnusedValue1;privatereadonlyuintUnusedValue2;internalIntPtrBaseAddress;privatereadonlyuintBaseSize;privatereadonlyIntPtrModuleHandle;[MarshalAs(UnmanagedType.ByValTStr, SizeConst =256)]internalreadonlystringModule;[MarshalAs(UnmanagedType.ByValTStr, SizeConst =260)]internalreadonlystringExePath;}internalstatic IntPtr StructureToPointer<TStructure>(TStructurestructure){varstructureSize= Marshal.SizeOf(typeof(TStructure));// Allocate memory to store the structurevarpointer= Marshal.AllocHGlobal(structureSize);// Store the structure in the allocated memory
Marshal.StructureToPtr(structure, pointer,true);returnpointer;}internalstatic TStructure PointerToStructure<TStructure>(IntPtraddress){// Read the structure from memory at the addressvarstructure=(TStructure) Marshal.PtrToStructure(address,typeof(TStructure));returnstructure;}internalstaticIEnumerable<ModuleEntry>GetProcessModules(intprocessId){varprocessModules=newList<ModuleEntry>();// Create a tool help snapshotvarsnapshotHandle= Native.CreateToolhelp32Snapshot(SnapshotFlags.Module | SnapshotFlags.Module32,(uint) processId);// Initialize a module entry structvarmoduleEntrySize= Marshal.SizeOf(typeof(ModuleEntry));varmoduleEntry=new ModuleEntry {Size=(uint) moduleEntrySize};// Store the module entry struct in a buffervarmoduleEntryBuffer= StructureToPointer(moduleEntry);// Get the first module of the process and store it in the bufferif(!Module32First(snapshotHandle, moduleEntryBuffer)){returnprocessModules;}// Get the first module entry structure from the buffermoduleEntry=PointerToStructure<ModuleEntry>(moduleEntryBuffer);
processModules.Add(moduleEntry);// Get the rest of the modules in the processwhile(Module32Next(snapshotHandle, moduleEntryBuffer)){// Get the module entry structure from the buffermoduleEntry=PointerToStructure<ModuleEntry>(moduleEntryBuffer);
processModules.Add(moduleEntry);}returnprocessModules;}
Another option could be to get an instance of the PEB / PEB's (if the process is runnning under Wow64) and then loop through the LdrDataTable entries if Snapshots were not the best option.
The text was updated successfully, but these errors were encountered:
There's currently an issue with the way Windows process modules are found where If you attempt to get the modules loaded into an x86 process from an x64 program you are only presented with Ntdll.dll + the Wow64 dll's, which aren't the only modules loaded.
The current method that is being used is EnumProcessModules from psapi.dll - Whilst I don't know what this function is doing internally I'm guessing it's only querying the x64 PEB (if the process is running under Wow64) and therefore only returning the x64 dll's that are loaded in the process.
Something like this could be used to get a full list of modules (both x86 and x64) loaded in a process which you get then use the BaseAddress / ModuleHandle to get the rest of the information you need like is done in the ProcessManger.Win32 class.
Another option could be to get an instance of the PEB / PEB's (if the process is runnning under Wow64) and then loop through the LdrDataTable entries if Snapshots were not the best option.
The text was updated successfully, but these errors were encountered: