I’m able to get the processId. How do I enumerate loaded modules that
this process has?
I’m looking at “ZwQuerySystemInformation” but don’t know how to get the
module list using it.
Any poiinter?
feng
This works for me (Thanks to Dave Burn for his expert help). This has
to be done in user space unless you drag the win32 API down:
//begin code snipet
// initialize all variables and malloc moduleName
wchar_t* moduleName = NULL; // must use Wide TCHAR for call to
GetModuleFileNameEx
… // verify memory is allocated and initialize variables
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, ProcessId);
if(hProcess)
{
success = EnumProcessModules(hProcess, lphModule,
sizeof(lphModule), &cbNeeded);
if(success)
{
//not looping over the entire array of HMODULEs returned by
EnumProcessModules cuts out everything but the exe file. Do we need the
DLLs?
//for(i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
//{
stringSize = GetModuleFileNameEx(hProcess, lphModule[0],
moduleName, cbNeeded);
if(stringSize)
{
fprintf( File, “\t”);
for(j = 0; j < moduleName[j] != ‘\0’; j++)
{
//fprintf( File, “%c”, moduleName[j]);
fputc(moduleName[j], File);
}
}
else
{
fprintf( File, “\tfailed GetModuleFileNameEx”);
}
//}
}
else
{
if(cbNeeded > sizeof(lphModule))
{
fprintf(File, “\tfailed EnumProcessModules”);
}
else
{
fprintf( File, “\tfailed EnumProcessModules”);
}
}
}
else
{
fprintf( File, “\tfailed OpenProcess”);
}
CloseHandle(hProcess);
free(moduleName);
// end code snipet
That will cost you $1000.00. Please discuss payment arrangements with
Mr.Burn.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of feng
Sent: Wednesday, December 01, 2004 12:16 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] How to enumerate modules associated with a processI’m able to get the processId. How do I enumerate loaded
modules that
this process has?I’m looking at “ZwQuerySystemInformation” but don’t know how
to get the
module list using it.Any poiinter?
feng
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17You are currently subscribed to ntfsd as: xxxxx@waterford.org
To unsubscribe send a blank email to xxxxx@lists.osr.com
Thank you for the code snippet, Samuel!
But I have to enumerate in KERNEL mode.
Yeah, I saw the function “EnumProcessModulesSamuel” but that doesn’t
work in the kernel mode.
Now I could have access to the EPROCESS structure.Still, I haven’t
figured out how to get a list of the DLLs loaded by this process using
this struct. Any idea?
Also, I have been googling and found pieces to tramp down the PEB
itself. Then, it needs to call “KeAttachStackProcess” which, to my
understanding, is not very safe!?..
So I’m kinda of running out of ideas. Any inputs would be of great help
at this point!
Peterson wrote:
This works for me (Thanks to Dave Burn for his expert help). This has
to be done in user space unless you drag the win32 API down://begin code snipet
// initialize all variables and malloc moduleName
wchar_t* moduleName = NULL; // must use Wide TCHAR for call to
GetModuleFileNameEx… // verify memory is allocated and initialize variables
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
FALSE, ProcessId);
if(hProcess)
{
success = EnumProcessModules(hProcess, lphModule,
sizeof(lphModule), &cbNeeded);
if(success)
{
//not looping over the entire array of HMODULEs returned by
EnumProcessModules cuts out everything but the exe file. Do we need the
DLLs?
//for(i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
//{
stringSize = GetModuleFileNameEx(hProcess, lphModule[0],
moduleName, cbNeeded);
if(stringSize)
{
fprintf( File, “\t”);
for(j = 0; j < moduleName[j] != ‘\0’; j++)
{
//fprintf( File, “%c”, moduleName[j]);
fputc(moduleName[j], File);
}
}
else
{
fprintf( File, “\tfailed GetModuleFileNameEx”);
}
//}
}
else
{
if(cbNeeded > sizeof(lphModule))
{
fprintf(File, “\tfailed EnumProcessModules”);
}
else
{
fprintf( File, “\tfailed EnumProcessModules”);
}
}
}
else
{
fprintf( File, “\tfailed OpenProcess”);
}CloseHandle(hProcess);
free(moduleName);
// end code snipet
That will cost you $1000.00. Please discuss payment arrangements with
Mr.Burn.>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of feng
>Sent: Wednesday, December 01, 2004 12:16 PM
>To: Windows File Systems Devs Interest List
>Subject: [ntfsd] How to enumerate modules associated with a process
>
>I’m able to get the processId. How do I enumerate loaded
>modules that
>this process has?
>
>I’m looking at “ZwQuerySystemInformation” but don’t know how
>to get the
>module list using it.
>
>Any poiinter?
>
>feng
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@waterford.org
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
I think you will need to send the process ID back to kernel mode
and there do the enumerate. We’ve discussed the problem here
more times, and no better solution has been found.
L.
----- Original Message -----
From: “feng”
To: “Windows File Systems Devs Interest List”
Sent: Thursday, December 02, 2004 1:03 AM
Subject: Re: [ntfsd] How to enumerate modules associated with a process
> Thank you for the code snippet, Samuel!
>
> But I have to enumerate in KERNEL mode.
> Yeah, I saw the function “EnumProcessModulesSamuel” but that doesn’t work
> in the kernel mode.
>
> Now I could have access to the EPROCESS structure.Still, I haven’t figured
> out how to get a list of the DLLs loaded by this process using this
> struct. Any idea?
>
> Also, I have been googling and found pieces to tramp down the PEB
> itself. Then, it needs to call “KeAttachStackProcess” which, to my
> understanding, is not very safe!?..
>
> So I’m kinda of running out of ideas. Any inputs would be of great help at
> this point!
>
>
> Peterson wrote:
>
>>This works for me (Thanks to Dave Burn for his expert help). This has
>>to be done in user space unless you drag the win32 API down:
>>
>>//begin code snipet
>>
>> // initialize all variables and malloc moduleName
>> wchar_t* moduleName = NULL; // must use Wide TCHAR for call to
>>GetModuleFileNameEx
>> … // verify memory is allocated and initialize variables
>>
>> hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
>>FALSE, ProcessId);
>> if(hProcess)
>> {
>> success = EnumProcessModules(hProcess, lphModule,
>>sizeof(lphModule), &cbNeeded);
>> if(success)
>> {
>> //not looping over the entire array of HMODULEs returned by
>>EnumProcessModules cuts out everything but the exe file. Do we need the
>>DLLs?
>> //for(i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
>> //{
>> stringSize = GetModuleFileNameEx(hProcess, lphModule[0],
>>moduleName, cbNeeded);
>> if(stringSize)
>> {
>> fprintf( File, “\t”);
>> for(j = 0; j < moduleName[j] != ‘\0’; j++)
>> {
>> //fprintf( File, “%c”, moduleName[j]);
>> fputc(moduleName[j], File);
>> }
>> }
>> else
>> {
>> fprintf( File, “\tfailed GetModuleFileNameEx”);
>> }
>> //}
>> }
>> else
>> {
>> if(cbNeeded > sizeof(lphModule))
>> {
>> fprintf(File, “\tfailed EnumProcessModules”);
>> }
>> else
>> {
>> fprintf( File, “\tfailed EnumProcessModules”);
>> }
>> }
>> }
>> else
>> {
>> fprintf( File, “\tfailed OpenProcess”);
>> }
>> CloseHandle(hProcess);
>> free(moduleName);
>>
>>// end code snipet
>>
>>That will cost you $1000.00. Please discuss payment arrangements with
>>Mr.Burn.
>>
>>
>>>-----Original Message-----
>>>From: xxxxx@lists.osr.com
>>>[mailto:xxxxx@lists.osr.com] On Behalf Of feng
>>>Sent: Wednesday, December 01, 2004 12:16 PM
>>>To: Windows File Systems Devs Interest List
>>>Subject: [ntfsd] How to enumerate modules associated with a process
>>>
>>>I’m able to get the processId. How do I enumerate loaded modules that
>>>this process has?
>>>
>>>I’m looking at “ZwQuerySystemInformation” but don’t know how to get the
>>>module list using it.
>>>
>>>Any poiinter?
>>>
>>>feng
>>>
>>>—
>>>Questions? First check the IFS FAQ at
>>>https://www.osronline.com/article.cfm?id=17
>>>
>>>You are currently subscribed to ntfsd as: xxxxx@waterford.org
>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>
>>—
>>Questions? First check the IFS FAQ at
>>https://www.osronline.com/article.cfm?id=17
>>
>>You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@volny.cz
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
Eh, I meant “send the process ID back to user mode”.
Sorry for that.
L.
----- Original Message -----
From: “Ladislav Zezula”
To: “Windows File Systems Devs Interest List”
Sent: Thursday, December 02, 2004 8:00 AM
Subject: Re: [ntfsd] How to enumerate modules associated with a process
>I think you will need to send the process ID back to kernel mode
> and there do the enumerate. We’ve discussed the problem here
> more times, and no better solution has been found.
>
> L.
>
> ----- Original Message -----
> From: “feng”
> To: “Windows File Systems Devs Interest List”
> Sent: Thursday, December 02, 2004 1:03 AM
> Subject: Re: [ntfsd] How to enumerate modules associated with a process
>
>
>> Thank you for the code snippet, Samuel!
>>
>> But I have to enumerate in KERNEL mode.
>> Yeah, I saw the function “EnumProcessModulesSamuel” but that doesn’t
>> work in the kernel mode.
>>
>> Now I could have access to the EPROCESS structure.Still, I haven’t
>> figured out how to get a list of the DLLs loaded by this process using
>> this struct. Any idea?
>>
>> Also, I have been googling and found pieces to tramp down the PEB
>> itself. Then, it needs to call “KeAttachStackProcess” which, to my
>> understanding, is not very safe!?..
>>
>> So I’m kinda of running out of ideas. Any inputs would be of great help
>> at this point!
>>
>>
>> Peterson wrote:
>>
>>>This works for me (Thanks to Dave Burn for his expert help). This has
>>>to be done in user space unless you drag the win32 API down:
>>>
>>>//begin code snipet
>>>
>>> // initialize all variables and malloc moduleName
>>> wchar_t* moduleName = NULL; // must use Wide TCHAR for call to
>>>GetModuleFileNameEx
>>> … // verify memory is allocated and initialize variables
>>>
>>> hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
>>>FALSE, ProcessId);
>>> if(hProcess)
>>> {
>>> success = EnumProcessModules(hProcess, lphModule,
>>>sizeof(lphModule), &cbNeeded);
>>> if(success)
>>> {
>>> //not looping over the entire array of HMODULEs returned by
>>>EnumProcessModules cuts out everything but the exe file. Do we need the
>>>DLLs?
>>> //for(i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
>>> //{
>>> stringSize = GetModuleFileNameEx(hProcess, lphModule[0],
>>>moduleName, cbNeeded);
>>> if(stringSize)
>>> {
>>> fprintf( File, “\t”);
>>> for(j = 0; j < moduleName[j] != ‘\0’; j++)
>>> {
>>> //fprintf( File, “%c”, moduleName[j]);
>>> fputc(moduleName[j], File);
>>> }
>>> }
>>> else
>>> {
>>> fprintf( File, “\tfailed GetModuleFileNameEx”);
>>> }
>>> //}
>>> }
>>> else
>>> {
>>> if(cbNeeded > sizeof(lphModule))
>>> {
>>> fprintf(File, “\tfailed EnumProcessModules”);
>>> }
>>> else
>>> {
>>> fprintf( File, “\tfailed EnumProcessModules”);
>>> }
>>> }
>>> }
>>> else
>>> {
>>> fprintf( File, “\tfailed OpenProcess”);
>>> }
>>> CloseHandle(hProcess);
>>> free(moduleName);
>>>
>>>// end code snipet
>>>
>>>That will cost you $1000.00. Please discuss payment arrangements with
>>>Mr.Burn.
>>>
>>>
>>>>-----Original Message-----
>>>>From: xxxxx@lists.osr.com
>>>>[mailto:xxxxx@lists.osr.com] On Behalf Of feng
>>>>Sent: Wednesday, December 01, 2004 12:16 PM
>>>>To: Windows File Systems Devs Interest List
>>>>Subject: [ntfsd] How to enumerate modules associated with a process
>>>>
>>>>I’m able to get the processId. How do I enumerate loaded modules that
>>>>this process has?
>>>>
>>>>I’m looking at “ZwQuerySystemInformation” but don’t know how to get the
>>>>module list using it.
>>>>
>>>>Any poiinter?
>>>>
>>>>feng
>>>>
>>>>—
>>>>Questions? First check the IFS FAQ at
>>>>https://www.osronline.com/article.cfm?id=17
>>>>
>>>>You are currently subscribed to ntfsd as: xxxxx@waterford.org
>>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>
>>>>
>>>
>>>—
>>>Questions? First check the IFS FAQ at
>>>https://www.osronline.com/article.cfm?id=17
>>>
>>>You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
>>>‘’
>>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>>
>>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@volny.cz
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@volny.cz
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>>I’m able to get the processId. How do I enumerate loaded
>modules that
>this process has?
Try using PsSetLoadImageNotifyRoutine and PsSetCreateProcessNotifyRoutine
For this maintain the list of all process if you want to use them in some
other place.
for PsSetLoadImageNotifyRoutine IFS documetation says -
the system calls its load-image notify routine whenever an executable
image is mapped into virtual memory, whether in system space or user
space, before the execution of the image begin…
When the load-image notify routine is called, the input FullImageName
points to a buffered Unicode string identifying the executable image file.
The ProcessId handle identifies the process in which the image has been
mapped, but this handle is zero if the newly loading image is a driver…
So you can get modules for a process here.
In PsSetCreateProcessNotifyRoutine , you will come to know when that
process gets deleted. So remove that process from your list.
Try to find out will it help to you. There are some overheads but this is
easy to do. But i think you will not get full path in kernel. For that you
have to use user mode. Up to my information kernel structures are not
maintaining full path.
Regards,
Naren.