How can I find the DLL's (ALL Dll's not just windows) that a process has loaded and then get the memory address for it, anyone got any ideas / code?
Thanks
Pete.
DLL's in another process
-
PeterBotes
- User
- Posts: 63
- Joined: Tue Nov 15, 2011 2:12 pm
DLL's in another process
Hi again everyone
How can I find the DLL's (ALL Dll's not just windows) that a process has loaded and then get the memory address for it, anyone got any ideas / code?
Thanks
Pete.
How can I find the DLL's (ALL Dll's not just windows) that a process has loaded and then get the memory address for it, anyone got any ideas / code?
Thanks
Pete.
Re: DLL's in another process
http://www.purebasic.fr/english/viewtop ... 12&t=47420
take a look at Procedure.b GetModuleList(ProcessID.l)
take a look at Procedure.b GetModuleList(ProcessID.l)
-
PeterBotes
- User
- Posts: 63
- Joined: Tue Nov 15, 2011 2:12 pm
Re: DLL's in another process
Hi xorc1zt
I did actuall y find this
In a post elsewhere in this forum, but when I tested it, whilst it returns lots lots of DLL's it does not show one I know is loaded, I know its loaded because I load it!!!!
and I know it is loaded OK not only because I test for zero but because I call a procedure in it, yet the above code does not list the DLL 
Thanks
Pete
I did actuall y find this
Code: Select all
me32.MODULEENTRY32
me32\dwSize = SizeOf(MODULEENTRY32)
hSnapShot = CreateToolhelp32Snapshot_(#TH32CS_SNAPMODULE, hProcess) ;Change the zero for any processID.
If hSnapShot
If Module32First_(hSnapShot, me32)
Debug "Module name = "+PeekS(@me32\szModule) + " Filename = " + PeekS(@me32\szExePath) + " Base address = $" + Hex(me32\modBaseAddr, #PB_Integer)
Repeat
result = Module32Next_(hSnapShot, me32)
If result
debug "Module name = "+PeekS(@me32\szModule) + " Filename = " + PeekS(@me32\szExePath) + " Base address = $" + Hex(me32\modBaseAddr, #PB_Integer)
EndIf
Until result = #False
EndIf
CloseHandle_(hSnapShot)
Else
debug "Error CreateToolhelp32Snapshot_() failed!"
EndIf
Code: Select all
LibNumber.l = OpenLibrary(#PB_Any, "testlib.dll")
If LibNumber.l > 0
Thanks
Pete
Re: DLL's in another process
Pete, a little confused over what your trying to do, get the base address of a .dll associated with a process ...or...trying to list all .dll's in use. Not sure what your trying to do, perhaps a little more information. For the base address of a .dll associated with a specific .exe process try this:
Code: Select all
Structure thread32
size.i
use.i
idth.i
parentid.i
base.i
delta.i
flags.i
EndStructure
#MAX_MODULE_NAME32=255
#MAX_MODULE_NAME32plus=#MAX_MODULE_NAME32+1
#TH32CS_SNAPPROCESS=$2
#TH32CS_SNAPMODULE=$8
Procedure.s RetrieveModuleBase(ProcName.s, ModuleName.s)
lReturnID.i
hSnapProcess.i
hSnapModule.i
procx.PROCESSENTRY32
Module.MODULEENTRY32
OpenLibrary(0, "kernel32.dll")
hSnapProcess=CallFunction(0, "CreateToolhelp32Snapshot", #TH32CS_SNAPPROCESS, 0)
If hSnapProcess <> 0
procx\dwSize = SizeOf(procx)
lReturnID = CallFunction(0, "Process32First", hSnapProcess, @procx)
While lReturnID<>0
If FindString(Left(PeekS(@procx\szExeFile), Len(ProcName)), ProcName, 1)=1
hSnapModule = CallFunction(0, "CreateToolhelp32Snapshot", #TH32CS_SNAPMODULE, procx\th32ProcessID)
If hSnapModule
Module\dwSize = SizeOf(Module)
lReturnID = CallFunction(0, "Module32First", hSnapModule, @Module)
While lReturnID<>0
If FindString(Left(PeekS(@Module\szModule), Len(ModuleName)), ModuleName, 1)=1
CloseLibrary(0)
ProcedureReturn "$"+Hex(Module\modBaseAddr)
EndIf
lReturnID = CallFunction(0, "Module32Next", hSnapModule, @Module)
Wend
EndIf
EndIf
lReturnID = CallFunction(0, "Process32Next", hSnapProcess, @procx)
Wend
EndIf
CloseLibrary(0)
ProcedureReturn "0"
EndProcedure
; example usage
Debug RetrieveModuleBase("notepad.exe", "kernel32.dll")
; returns the base address
The advantage of a 64 bit operating system over a 32 bit operating system comes down to only being twice the headache.
-
PeterBotes
- User
- Posts: 63
- Joined: Tue Nov 15, 2011 2:12 pm
Re: DLL's in another process
Hi SFSxOI,
Well I want the base address, but first of all I thought making sure I could list the DLL would be a good idea, once I can list it I could then move on to getting its base address.
So,
1) I would like to list all DLL's associated with a process, I have code that returns the handle of the process using "OpenProcess"
2) Once I know I can list the DLL I would like the base address of the DLL
3) I want to play with hooking functions in the DLL
I have been playing with injection, virtualallocex, memory protection etc. and now I am trying to bring it all together, my ultimate goal is to get a processes DLL and hook a function it calls.
Thanks Pete.
Well I want the base address, but first of all I thought making sure I could list the DLL would be a good idea, once I can list it I could then move on to getting its base address.
So,
1) I would like to list all DLL's associated with a process, I have code that returns the handle of the process using "OpenProcess"
2) Once I know I can list the DLL I would like the base address of the DLL
3) I want to play with hooking functions in the DLL
I have been playing with injection, virtualallocex, memory protection etc. and now I am trying to bring it all together, my ultimate goal is to get a processes DLL and hook a function it calls.
Thanks Pete.
-
PeterBotes
- User
- Posts: 63
- Joined: Tue Nov 15, 2011 2:12 pm
Re: DLL's in another process
Hi SFSxOI,
Update:
I have managed to use your code and change it slightly to list all DLL's and base addresses associated with a process and it works great thanks.
Pete.
Update:
I have managed to use your code and change it slightly to list all DLL's and base addresses associated with a process and it works great thanks.
Pete.