win7x64内核枚举32位进程模块的问题
PPEB32 pPeb32 = (PPEB32)PsGetProcessWow64Process(pProcess);for (PLIST_ENTRY32 pListEntry = (PLIST_ENTRY32)((PPEB_LDR_DATA32)pPeb32->Ldr)->InLoadOrderModuleList.Flink;
pListEntry != &((PPEB_LDR_DATA32)pPeb32->Ldr)->InLoadOrderModuleList;
pListEntry = (PLIST_ENTRY32)pListEntry->Flink)
{
UNICODE_STRING ustr;
PLDR_DATA_TABLE_ENTRY32 pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks);
RtlInitUnicodeString(&ustr, (PWCH)pEntry->FullDllName.Buffer);
DbgPrint("Base=%X Size=%ld Path=%wZ\n",
(PWCH)pEntry->DllBase,
(PWCH)pEntry->SizeOfImage, &ustr);
}
貌似对有些x64保护的32bit 进程无效 对于不能访问其进程空间的进程就无效。
页:
[1]