|
|
PPEB32 pPeb32 = (PPEB32)PsGetProcessWow64Process(pProcess);
for (PLIST_ENTRY32 pListEntry = (PLIST_ENTRY32)((PPEB_LDR_DATA32)pPeb32->Ldr)->InLoadOrderModuleList.Flink;
pListEntry != &((PPEB_LDR_DATA32)pPeb32->Ldr)->InLoadOrderModuleList;
pListEntry = (PLIST_ENTRY32)pListEntry->Flink)
{
UNICODE_STRING ustr;
PLDR_DATA_TABLE_ENTRY32 pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks);
RtlInitUnicodeString(&ustr, (PWCH)pEntry->FullDllName.Buffer);
DbgPrint("[MODULE]Base=%X Size=%ld Path=%wZ\n",
(PWCH)pEntry->DllBase,
(PWCH)pEntry->SizeOfImage, &ustr);
}
貌似对有些x64保护的32bit 进程无效 |
|
发表于 2016-5-13 00:49:16
发表于 2016-5-20 16:42:10