I’m looking for a way to enumerate the list of loaded kernel modules on x64 versions of Windows. I know on x86 versions the list is PsLoadedModuleList from the PCR’s KdVersionBlock, but on Win7 x64, KdVersionBlock is null. Is there another location for PsLoadedModuleList on x64? Is there a better method to enumerate the list of modules?
My purpose is read-only and is not nefarious in nature. Just simply wanting the module a code address belongs to.
Thanks,
Chris Harper
AuxKlibQueryModuleInformation, http://msdn.microsoft.com/en-us/library/windows/hardware/ff540639(v=vs.85).aspx. No need to use undocumented structures or fields that you don’t have the right locks for.
d
debt from my phone
From: xxxxx@gmail.com
Sent: 1/19/2012 8:58 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] PsLoadedModuleList on x64
I’m looking for a way to enumerate the list of loaded kernel modules on x64 versions of Windows. I know on x86 versions the list is PsLoadedModuleList from the PCR’s KdVersionBlock, but on Win7 x64, KdVersionBlock is null. Is there another location for PsLoadedModuleList on x64? Is there a better method to enumerate the list of modules?
My purpose is read-only and is not nefarious in nature. Just simply wanting the module a code address belongs to.
Thanks,
Chris Harper
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
IIRC AuxKLibXxx functions can do this.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> I’m looking for a way to enumerate the list of loaded kernel modules on x64 versions of Windows. I know on x86 versions the list is PsLoadedModuleList from the PCR’s KdVersionBlock, but on Win7 x64, KdVersionBlock is null. Is there another location for PsLoadedModuleList on x64? Is there a better method to enumerate the list of modules?
>
> My purpose is read-only and is not nefarious in nature. Just simply wanting the module a code address belongs to.
>
> Thanks,
> Chris Harper
>
And this applies to x86 as well if that was not clear.
You should remove the code that grovels into KdVersionBlock and the PCR, and use AuxKlib exclusively.
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] on behalf of Doron Holan [xxxxx@microsoft.com]
Sent: Thursday, January 19, 2012 9:05 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] PsLoadedModuleList on x64
AuxKlibQueryModuleInformation, http://msdn.microsoft.com/en-us/library/windows/hardware/ff540639(v=vs.85).aspx. No need to use undocumented structures or fields that you don’t have the right locks for.
d
debt from my phone
From: xxxxx@gmail.com
Sent: 1/19/2012 8:58 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] PsLoadedModuleList on x64
I’m looking for a way to enumerate the list of loaded kernel modules on x64 versions of Windows. I know on x86 versions the list is PsLoadedModuleList from the PCR’s KdVersionBlock, but on Win7 x64, KdVersionBlock is null. Is there another location for PsLoadedModuleList on x64? Is there a better method to enumerate the list of modules?
My purpose is read-only and is not nefarious in nature. Just simply wanting the module a code address belongs to.
Thanks,
Chris Harper
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I’m looking for a way to enumerate the list of loaded kernel modules on x64 versions of Windows. I know on x86 versions the list is PsLoadedModuleList from the PCR’s KdVersionBlock, but on Win7 x64, KdVersionBlock is null. Is there another location for PsLoadedModuleList on x64? Is there a better method to enumerate the list of modules?
My purpose is read-only and is not nefarious in nature. Just simply wanting the module a code address belongs to.
Thanks,
Chris Harper
Didn’t we cover this a few days ago?
Either way, take a look at AuxKLib in the wdkdocs.
Good luck,
Mm
On Jan 21, 2012 9:27 PM, wrote:
> I’m looking for a way to enumerate the list of loaded kernel modules on
> x64 versions of Windows. I know on x86 versions the list is
> PsLoadedModuleList from the PCR’s KdVersionBlock, but on Win7 x64,
> KdVersionBlock is null. Is there another location for PsLoadedModuleList on
> x64? Is there a better method to enumerate the list of modules?
>
> My purpose is read-only and is not nefarious in nature. Just simply
> wanting the module a code address belongs to.
>
> Thanks,
> Chris Harper
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Not sure how asking again will get you a different answer. Use AuxKlibQueryModuleInformation, http://msdn.microsoft.com/en-us/library/windows/hardware/ff540639(v=vs.85).aspx , for both x86 and x64. No need to use undocumented structures or fields that you can’t acquire locks to protect
d
debt from my phone
From: xxxxx@gmail.com
Sent: 1/21/2012 9:27 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] PsLoadedModuleList on x64
I’m looking for a way to enumerate the list of loaded kernel modules on x64 versions of Windows. I know on x86 versions the list is PsLoadedModuleList from the PCR’s KdVersionBlock, but on Win7 x64, KdVersionBlock is null. Is there another location for PsLoadedModuleList on x64? Is there a better method to enumerate the list of modules?
My purpose is read-only and is not nefarious in nature. Just simply wanting the module a code address belongs to.
Thanks,
Chris Harper
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Sorry about posting the same question; that was unintentional. I opened a reply to say thanks because the recommendation worked quite well, as expected, but I got interrupted before typing anything and never submitted. But apparently something submitted on my behalf, making me look like an idiot for asking the same question again.
But, thanks for the suggestion, I appreciate all your help. Next time I’ll ask the same question only once.