It is relatively simple to get a process-loaded related module under R3, and it is possible to get the module associated with the process directly through the TOOLHELP32 Library API, but since it has been mixed in R0 to use the R3 layer, it makes no sense. So here's the little yo here will be a part of how to get to the process load module under R0 through the eprocess structure.
FirstHere we first introduce the general idea of our query through eprocess
① acquisition of the corresponding PEB structure via eprocess
② found the _peb_ldr_data through PEB.
③ in the _peb_ldr_data inside there are 3 list_entry, which is the process of loading the module information of the linked list head, _peb_ldr_data inside of the 3 linked list is actually just the order of the module is not the same, the content is consistent, This article uses Loadorder, a list of links that are listed in the order in which they are loaded.
④ know the link table head, just need to know the link list of the node is enough, here we traverse the link table node is the _ldr_data_table_entry structure, in this structure has a fulldllname, that is, the path of the module, is what we are looking for, As long as we traverse the list, we can enumerate all the loading modules.
I use a picture to describe our process.
As you can see, you just need to find the end of the list to iterate over it OK.
Know the above basic ideas, now we start to operate, first prepare your WinDbg debugging tool, first through the WinDbg correctly find a process of the module list, followed by the way I introduced the use of code.
My virtual machine is Win7 x86, which takes the process Dwm.exe as an example.
① command !process 0 0 dwm.exe first get to Dwm.exe eprocess address, we can see Eprocess address is: 0x87ede940, PEB address is: 0x7ffdf000
② Note that the address of PEB is less than 0x80000000, belongs to the user address space, is not able to directly access, if the direct access can only see???????, so we need to switch to this application before we can access the user address space, using the following command . process/p/R 87ede940 switch to dwm.exe this process:
③ has switched to Dwm.exe, we begin to follow the steps to operate it, the command DT _eprocess 87ede940 View eprocess, in the offset 0x1a8 location found _PEB, the address is 0x7ffdf000
④ Follow-up _PEB, using the command DT _peb 0x7ffdf000 View PEB information, in the offset 0x0c location found _peb_ldr_data, the address is: 0x77307880
⑤ continue to follow _peb_ldr_data, using the command DT _peb_ldr_data 0x77307880 View _peb_ldr_data information, a total of 3 _list_entry, As I've said before, these three lists are just a few of the nodes, and I'm using the first inloadordermodulelist in the order of loading.
⑥ We've found the head of the list, but we don't know now _ldr_data_table_entry the structure of the goods is God horse, so we use the command DT _ldr_data_table_entry to see _ldr_data_ The structure of the Table_entry:
From the structure you can see the inloadordermodulelist is located in the structure of the header, so we get to the _list_entry address directly point to the _ldr_data_table_entry, no need to convert the
⑦ back to ⑤ look at the address of the first node of the list (Flink direction traversal), the first address is 0x3017b8,ok we use the command DT _ldr_data_table_entry 0x3017b8 Follow-up look,
Did you see the path of the dwm.exe process itself? That's right, we are in accordance with the module load the order of traversal, the first module is itself, do not believe that we look back one, command DT _ldr_data_table_entry 0x301838 , see the following chart, I will not say more ~ ~
Teach you R0 under the eprocess Get Process Load module