|
|
|
|
#1
05-13-2004, 17:37
|
|||
|
|||
|
Modules loaded by a exe
hi,
I would like to know how some programs such as LordPE displays dll loaded by an executable, what API are called? thanks in advance 
|
|
#2
05-13-2004, 18:53
|
||||
|
||||
|
look here, it's extremely simple
hxxp://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c5729/ and also here hxxp://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c2873/
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com
|
|
#3
05-14-2004, 17:35
|
|||
|
|||
|
thanks for the info man!
|
|
#4
05-14-2004, 22:43
|
|||
|
|||
|
Sorry, but the method above is suxx. Too easy to fool. If you want to create sth really useful, you stick to NT+ architecture. Go search for "PEB_LDR_DATA". This is what you need.
|
|
#5
05-14-2004, 22:50
|
||||
|
||||
|
humm..that undocumented things are supported through different OSs (XP,2003)?
It depends on which level you want to be sure of this..the infos obtained are almost the same, isn't it?
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com
|
|
#6
05-14-2004, 23:34
|
|||
|
|||
|
PEB is present starting from NT+.
The exact implementation of the structure is different. You can extract it from PDB-files using pdb-dump by de Quency.
|
|
#7
05-18-2004, 18:32
|
|||
|
|||
|
Quote:
Code:
#include <tlhelp32.h>
DWORD currentProcessId = ::GetCurrentProcessId();
HANDLE h = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, currentProcessId);
if (h != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 me32 = {0};
me32.dwSize = sizeof MODULEENTRY32;
for (BOOL b = ::Module32First(h, &me32); b; b = ::Module32Next(h, &me32))
{
// do something with me32
}
::CloseHandle(h);
}
|
|
#8
05-18-2004, 22:37
|
|||
|
|||
|
Lord PE is outdated. I personally, respect Yoda, but his really good piece of software has not been updated for many-many years. Thus, the method above is suxx. Use RtlQueryProcessDebugInformation instead.
Sth like: QUERYDEBUGBUFFER *pModuleInfo; // modules information DWORD dwNtStatus; // return code // RtlQueryProcessDebugInformation DWORD dwPID; // process PID // get the memory for the buffer DWORD *pRtlBuffer = RtlCreateQueryDebugBuffer(NULL, NULL); if(!pRtlBuffer) { // Error! } // get the info about the modules dwNtStatus = RtlQueryProcessDebugInformation((HANDLE *)dwPID, 0x01, pRtlBuffer); if(!dwNtStatus) { pModuleInfo = (QUERYDEBUGBUFFER*)pRtlBuffer; // enumerate the modules for(int i = 0; i < pModuleInfo->dwNumNames; i++) { printf(��ImageBase: 0x%0.8Xl��, pModuleInfo[i]->ImageBase); printf(��ImageSize: 0x%0.8Xl��, pModuleInfo[i]->ImageSize); ... } } else if(dwNtStatus == DEBUG_ACCESS_DENIED) { // Error } // free the buffer RtlDestroyQueryDebugBuffer(pModuleInfo); Actually, we wrote much more information in http://wasm.ru/article.php?article=packers2 but one has to know Russian to be able to understand sth...
|
 |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| How to Patch (IL Edit) of Assembles loaded from Resource | cracki | General Discussion | 18 | 01-14-2024 00:26 |
| Olly Crash when this simple app loaded... | kunam | General Discussion | 6 | 10-10-2023 21:00 |
| Working with multiple modules when reversing | maktm | General Discussion | 2 | 04-19-2015 06:46 |
| Runtime Error R6002 - Floating point not loaded | MrGneissGuy's | General Discussion | 1 | 09-14-2009 03:08 |
| Detection/Signature for Corba/Com/Dcom/Activex Modules | nulli | General Discussion | 2 | 11-27-2005 18:41 |
Hybrid Mode
