|
|
#16
05-18-2004, 22:37
|
|||
|
|||
|
Lord PE is outdated. I personally, respect Yoda, but his really good piece of software has not been updated for many-many years. Thus, the method above is suxx. Use RtlQueryProcessDebugInformation instead.
Sth like: QUERYDEBUGBUFFER *pModuleInfo; // modules information DWORD dwNtStatus; // return code // RtlQueryProcessDebugInformation DWORD dwPID; // process PID // get the memory for the buffer DWORD *pRtlBuffer = RtlCreateQueryDebugBuffer(NULL, NULL); if(!pRtlBuffer) { // Error! } // get the info about the modules dwNtStatus = RtlQueryProcessDebugInformation((HANDLE *)dwPID, 0x01, pRtlBuffer); if(!dwNtStatus) { pModuleInfo = (QUERYDEBUGBUFFER*)pRtlBuffer; // enumerate the modules for(int i = 0; i < pModuleInfo->dwNumNames; i++) { printf(��ImageBase: 0x%0.8Xl��, pModuleInfo[i]->ImageBase); printf(��ImageSize: 0x%0.8Xl��, pModuleInfo[i]->ImageSize); ... } } else if(dwNtStatus == DEBUG_ACCESS_DENIED) { // Error } // free the buffer RtlDestroyQueryDebugBuffer(pModuleInfo); Actually, we wrote much more information in http://wasm.ru/article.php?article=packers2 but one has to know Russian to be able to understand sth... 
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| How to Patch (IL Edit) of Assembles loaded from Resource | cracki | General Discussion | 18 | 01-14-2024 00:26 |
| Olly Crash when this simple app loaded... | kunam | General Discussion | 6 | 10-10-2023 21:00 |
| Working with multiple modules when reversing | maktm | General Discussion | 2 | 04-19-2015 06:46 |
| Runtime Error R6002 - Floating point not loaded | MrGneissGuy's | General Discussion | 1 | 09-14-2009 03:08 |
| Detection/Signature for Corba/Com/Dcom/Activex Modules | nulli | General Discussion | 2 | 11-27-2005 18:41 |
Linear Mode
