|
Lord PE is outdated. I personally, respect Yoda, but his really good piece of software has not been updated for many-many years. Thus, the method above is suxx. Use RtlQueryProcessDebugInformation instead.
Sth like: QUERYDEBUGBUFFER *pModuleInfo; // modules information DWORD dwNtStatus; // return code // RtlQueryProcessDebugInformation DWORD dwPID; // process PID // get the memory for the buffer DWORD *pRtlBuffer = RtlCreateQueryDebugBuffer(NULL, NULL); if(!pRtlBuffer) { // Error! } // get the info about the modules dwNtStatus = RtlQueryProcessDebugInformation((HANDLE *)dwPID, 0x01, pRtlBuffer); if(!dwNtStatus) { pModuleInfo = (QUERYDEBUGBUFFER*)pRtlBuffer; // enumerate the modules for(int i = 0; i < pModuleInfo->dwNumNames; i++) { printf(��ImageBase: 0x%0.8Xl��, pModuleInfo[i]->ImageBase); printf(��ImageSize: 0x%0.8Xl��, pModuleInfo[i]->ImageSize); ... } } else if(dwNtStatus == DEBUG_ACCESS_DENIED) { // Error } // free the buffer RtlDestroyQueryDebugBuffer(pModuleInfo); Actually, we wrote much more information in http://wasm.ru/article.php?article=packers2 but one has to know Russian to be able to understand sth... |
| All times are GMT +8. The time now is 00:25. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX