list if module

If someone will use an injection method manual map and after that if I get all modules of the process in kernel space, can I see DLL file?

You need to provide more details:

  • How is the injected code mapped to the process?
  • How do you try to get all the modules of the process in kernel space?
  • What are you trying to do exactly?

The only place that contains “a list of modules” in a process is the loader database in user-mode which can be fetched by calling the Win32 (EnumProcessModules)

In kernel mode, as far as I know, other than maintaining your own list with the image load callback or hacky solutions like scanning the address space with ZwQueryVirtualMemory you won’t be able to get the “loaded module list”.

Unless you explain your intent, it’s hard to answer your question.

1 Like