> But can we do one more thing that take a address in an address space and find out the region,
then find out find out where or in which file this region is memory mapped or paged.
Surely it can be done- this is what ZwQueryVirtualMemory(), MemorySectionName infoclass is for. PSAPI GetModuleFileName() relies upon it behind the scenes…
Is there any other way to list files mapped in process address space?
Well, you will have to scan all the whole address space, but the whole thing is feasible. You can take the following approach:
Check first two bytes of every page in the address space for PE signature in a _try block. If exception is raised because the address is invalid or no PE signature is detected, proceed to the next page. Otherwise, call VirtualQuery() on the given address . If Type field of MEMORY_BASIC_INFORMATION that VirtualQuery() returns is not MEM_IMAGE, this is definitely not a loaded DLL’s PE header, so that you can safely skip the whole region and proceed to the page that immediately follows it. Otherwise, call GetModuleFileName() and specify the given address as Module parameter, so that you will get the whole path to DLL’s image file…
If you do it this way you will be able to enumerate all loaded DLLs…
Anton Bassov