All geek questions in one place

How can I get the "name" of the starting address of a process, how is this done in Process Explorer?

Well, I am writing an application designed to list threads in a given process, as Process Explorer does. I well know that this could potentially break between different versions of Windows, because it relies on โ€œunofficialโ€ APIs such as NtQuerySystemInformation, and I do a great job with this.

I already have code to get the base address of this stream. I would now like to turn this into something like what the process researcher does, i.e. "Ntdll.dll! EtwDeliverDataBlock + 0x453". I really don't need a function name or an offset, just a module name.

How can i do this?

+3
source share
3 answers

If you only need a module name, the easiest way is to use EnumProcessModules to get a list of all loaded modules, then use GetModuleInformation for each of them. One of the things returned GetModuleInformationis the base address where this module loads. Technically, the integer value of the HMODULEsame matches the base address, but that seems a bit fragile to me ...

Then itโ€™s just a matter of finding a module with a base address just below the current (or start) address of the stream.

Oh, and to get the actual name of the module, GetModuleBaseName .

+4
source

GetModuleHandleEx GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, . GetModuleBaseName, .

: , GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, .

+1

You can use this code to get the module descriptor (it is faster than GetModuleHandleEx ), and then call GetModuleBaseName .

HMODULE GetCallingModule( LPCVOID pCaller ) const
{
    HMODULE hModule = NULL;
    MEMORY_BASIC_INFORMATION mbi;
    if ( VirtualQuery(pCaller, &mbi, sizeof(MEMORY_BASIC_INFORMATION)) == sizeof(MEMORY_BASIC_INFORMATION) )
    {
        // the allocation base is the beginning of a PE file 
        hModule = (HMODULE) mbi.AllocationBase;
    }
    return hModule;
}
0
source

Source: https://habr.com/ru/post/1779709/

More articles:


All Articles