Enumerating All Modules For A Process

[Blankname]

I am trying to replicate this, and have it safe to call with the number of modules changing.

Code: Select all

http://msdn.microsoft.com/en-us/library/windows/desktop/ms682621(v=vs.85).aspx

Here is the code I am using, I am unsure if I am replicating this properly. It returns just the process file name, which is due to a improper module handle. I am just trying to list all of the modules (.dll's) that are loaded with the injected process at any time. I am not very good at converting over C++ code.

Code: Select all

Procedure PrintModules(Parameter)
  
  Dim hMods(1024)
  hProcess = GetCurrentProcess_()
  cbNeeded.l
  
  If OpenLibrary(0, "Psapi.dll")
    
    EnumProcessModules = GetFunction(0, "EnumProcessModules")
    GetModuleFileName = GetFunction(0, "GetModuleFileNameExA")
    
    If EnumProcessModules And GetModuleFileName
      
      CallFunctionFast(EnumProcessModules, hProcess, @hMods, SizeOf(hMods), @cbNeeded)
      
      For i = 0 To cbNeeded / SizeOf(hMods)
        Name.s = Space(255)
        CallFunctionFast(GetModuleFileName, hProcess, hMods(i), @Name, Len(Name))
        PrintN(Name)
      Next
      
      Repeat
        Delay(10)
      ForEver
      
    EndIf
  EndIf
EndProcedure

ProcedureDLL AttachProcess(Instance)
  OpenConsole()
  CreateThread(@PrintModules(), 0)
EndProcedure

ProcedureDLL DetachProcess(Instance)
EndProcedure

ProcedureDLL AttachThread(Instance)
EndProcedure

ProcedureDLL DetachThread(Instance)
EndProcedure

[JHPJHP]

Not exactly what I was looking for, but does have some code that fixed my problem.

[Blankname]

Try this:

NB*: I noticed I was getting Error: 299 on some processes - then I read...

EnumProcessModules:
If this function is called from a 32-bit application running on WOW64, it can only enumerate the modules of a 32-bit process.
If the process is a 64-bit process, this function fails And the last error code is ERROR_PARTIAL_COPY (299).

Code: Select all

Procedure.s TestForError()
  Result.s = ""
  dwMessageId = GetLastError_()
  *lpBuffer = AllocateMemory(255)
  FormatMessage_(#FORMAT_MESSAGE_FROM_SYSTEM, #Null, dwMessageId, #Null, *lpBuffer, MemorySize(*lpBuffer), #Null)
  Result = "Error: " + Str(dwMessageId) + " - " + PeekS(*lpBuffer)
  FreeMemory(*lpBuffer)
  ProcedureReturn
EndProcedure

Procedure.b AdjustCurrentProcessPrivilege()
  Result.b = #False

  If OpenProcessToken_(GetCurrentProcess_(), #TOKEN_ADJUST_PRIVILEGES | #TOKEN_QUERY, @TokenHandle)
    lpLuid.LUID

    If LookupPrivilegeValue_(#Null, #SE_DEBUG_NAME, @lpLuid)
      NewState.TOKEN_PRIVILEGES

      With NewState
        \PrivilegeCount = 1
        \Privileges[0]\Luid\LowPart = lpLuid\LowPart
        \Privileges[0]\Luid\HighPart = lpLuid\HighPart
        \Privileges[0]\Attributes = #SE_PRIVILEGE_ENABLED
      EndWith
      Result = AdjustTokenPrivileges_(TokenHandle, #False, @NewState, SizeOf(TOKEN_PRIVILEGES), @PreviousState.TOKEN_PRIVILEGES, @ReturnLength)
    EndIf
    CloseHandle_(TokenHandle)
  EndIf
  ProcedureReturn Result
EndProcedure

Procedure PrintModules(ProcessId)
  psapi = OpenLibrary(#PB_Any, "psapi.dll")

  If psapi
    AdjustCurrentProcessPrivilege()
    hProcess = OpenProcess_(#MAXIMUM_ALLOWED, #False, ProcessId)
    Dim lphModule(256)

    If CallFunction(psapi, "EnumProcessModules", hProcess, lphModule(), ArraySize(lphModule()), @lpcbNeeded)
      For rtnCount = 0 To lpcbNeeded / 4 - 1
        lpFilename.s = Space(#MAX_PATH)

        If CallFunction(psapi, "GetModuleFileNameExA", hProcess, lphModule(rtnCount), @lpFilename, Len(lpFilename))
          PrintN(lpFilename)
          ; lpBaseName.s = Space(#MAX_PATH)
;
          ; If CallFunction(psapi, "GetModuleBaseNameA", hProcess, lphModule(rtnCount), @lpBaseName, Len(lpBaseName))
            ; PrintN(lpBaseName)
          ; EndIf
        EndIf
      Next
    Else
      PrintN(TestForError())
    EndIf
    CloseLibrary(psapi)
  EndIf
EndProcedure
OpenConsole()
PrintModules(1552)
Input()

Not exactly what I was looking for, but does have some code that fixed my problem. Thanks!

/solved