Modules loaded by a exe

hi,
I would like to know how some programs such as LordPE displays dll loaded by an executable, what API are called? thanks in advance

[Shub-Nigurrath]

look here, it's extremely simple

hxxp://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c5729/

and also here

hxxp://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c2873/

thanks for the info man!

Sorry, but the method above is suxx. Too easy to fool. If you want to create sth really useful, you stick to NT+ architecture. Go search for "PEB_LDR_DATA". This is what you need.

[Shub-Nigurrath]

humm..that undocumented things are supported through different OSs (XP,2003)?
It depends on which level you want to be sure of this..the infos obtained are almost the same, isn't it?

PEB is present starting from NT+.
The exact implementation of the structure is different. You can extract it from PDB-files using pdb-dump by de Quency.

[JMI]

Here's a little searching project for you all. The de Quincy article is available on "Searchlore" and his utility is available on "Sourceforge."

Regards,

As opposed in a concurrent thread (initial register values), the PEB can easily be retrieved with the following (VC) C++ code:
void *PEB = NULL;
__asm
{
mov eax,fs:[0x30]
mov PEB,eax
}
On windows 2000 it is constantly 0x7ffdf000
regards, PHaX

My dear JMI, no need to go to Sourceforge
http://wasm.ru/tools/21/pdbdump.zip
+ DIA SDK:
http://wasm.ru/tools/4/dia.zip

[JMI]

volodya:

I already knew that these utilities were available in many places. I was merely intending to encourage people to learn better how to search. I also thought some might like to actually read de Quincy's article.

Regards,

[TQN]

Hi volodya !
I have try to use pdbdump with ntdll.dbg and ntdll.pdb, but the output is only the name of public, import, export symbols... We don't have the layout or struct define of PEB.
Regards

Try ntoskrnl.pdb.

[TQN]

Thank volodya !
I have dumped the ntoskrnl.pdb, but I still do not find the PEB struct. Attached file is output of pdbdump on the ntoskrnl.pdb
Regards

This is strange, my friend.
Dump from ntoskrnl.exe (Windows 2003):

struct _PEB {

// static data ------------------------------------

// non-static data --------------------------------
/*<thisrel this+0x0>*/ /*|0x1|*/ unsigned char InheritedAddressSpace;
/*<thisrel this+0x1>*/ /*|0x1|*/ unsigned char ReadImageFileExecOptions;
/*<thisrel this+0x2>*/ /*|0x1|*/ unsigned char BeingDebugged;
/*<thisrel this+0x3>*/ /*|0x1|*/ unsigned char SpareBool;
/*<thisrel this+0x4>*/ /*|0x4|*/ void* Mutant;
/*<thisrel this+0x8>*/ /*|0x4|*/ void* ImageBaseAddress;
/*<thisrel this+0xc>*/ /*|0x4|*/ struct _PEB_LDR_DATA* Ldr;
/*<thisrel this+0x10>*/ /*|0x4|*/ struct _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
/*<thisrel this+0x14>*/ /*|0x4|*/ void* SubSystemData;
/*<thisrel this+0x18>*/ /*|0x4|*/ void* ProcessHeap;
/*<thisrel this+0x1c>*/ /*|0x4|*/ struct _RTL_CRITICAL_SECTION* FastPebLock;
/*<thisrel this+0x20>*/ /*|0x4|*/ void* SparePtr1;
/*<thisrel this+0x24>*/ /*|0x4|*/ void* SparePtr2;
/*<thisrel this+0x28>*/ /*|0x4|*/ unsigned long EnvironmentUpdateCount;
/*<thisrel this+0x2c>*/ /*|0x4|*/ void* KernelCallbackTable;
/*<thisrel this+0x30>*/ /*|0x4|*/ unsigned long SystemReserved[1];
/*<bitfield this+0x34>*/ /*|0x4|*/ unsigned long ExecuteOptions:0:2;
/*<bitfield this+0x34>*/ /*|0x4|*/ unsigned long SpareBits:2:1e;
/*<thisrel this+0x38>*/ /*|0x4|*/ struct _PEB_FREE_BLOCK* FreeList;
/*<thisrel this+0x3c>*/ /*|0x4|*/ unsigned long TlsExpansionCounter;
/*<thisrel this+0x40>*/ /*|0x4|*/ void* TlsBitmap;
/*<thisrel this+0x44>*/ /*|0x8|*/ unsigned long TlsBitmapBits[2];
/*<thisrel this+0x4c>*/ /*|0x4|*/ void* ReadOnlySharedMemoryBase;
/*<thisrel this+0x50>*/ /*|0x4|*/ void* ReadOnlySharedMemoryHeap;
/*<thisrel this+0x54>*/ /*|0x4|*/ void** ReadOnlyStaticServerData;
/*<thisrel this+0x58>*/ /*|0x4|*/ void* AnsiCodePageData;
/*<thisrel this+0x5c>*/ /*|0x4|*/ void* OemCodePageData;
/*<thisrel this+0x60>*/ /*|0x4|*/ void* UnicodeCaseTableData;
/*<thisrel this+0x64>*/ /*|0x4|*/ unsigned long NumberOfProcessors;
/*<thisrel this+0x68>*/ /*|0x4|*/ unsigned long NtGlobalFlag;
/*<thisrel this+0x70>*/ /*|0x8|*/ union _LARGE_INTEGER CriticalSectionTimeout;
/*<thisrel this+0x78>*/ /*|0x4|*/ unsigned long HeapSegmentReserve;
/*<thisrel this+0x7c>*/ /*|0x4|*/ unsigned long HeapSegmentCommit;
/*<thisrel this+0x80>*/ /*|0x4|*/ unsigned long HeapDeCommitTotalFreeThreshold;
/*<thisrel this+0x84>*/ /*|0x4|*/ unsigned long HeapDeCommitFreeBlockThreshold;
/*<thisrel this+0x88>*/ /*|0x4|*/ unsigned long NumberOfHeaps;
/*<thisrel this+0x8c>*/ /*|0x4|*/ unsigned long MaximumNumberOfHeaps;
/*<thisrel this+0x90>*/ /*|0x4|*/ void** ProcessHeaps;
/*<thisrel this+0x94>*/ /*|0x4|*/ void* GdiSharedHandleTable;
/*<thisrel this+0x98>*/ /*|0x4|*/ void* ProcessStarterHelper;
/*<thisrel this+0x9c>*/ /*|0x4|*/ unsigned long GdiDCAttributeList;
/*<thisrel this+0xa0>*/ /*|0x4|*/ struct _RTL_CRITICAL_SECTION* LoaderLock;
/*<thisrel this+0xa4>*/ /*|0x4|*/ unsigned long OSMajorVersion;
/*<thisrel this+0xa8>*/ /*|0x4|*/ unsigned long OSMinorVersion;
/*<thisrel this+0xac>*/ /*|0x2|*/ unsigned short OSBuildNumber;
/*<thisrel this+0xae>*/ /*|0x2|*/ unsigned short OSCSDVersion;
/*<thisrel this+0xb0>*/ /*|0x4|*/ unsigned long OSPlatformId;
/*<thisrel this+0xb4>*/ /*|0x4|*/ unsigned long ImageSubsystem;
/*<thisrel this+0xb8>*/ /*|0x4|*/ unsigned long ImageSubsystemMajorVersion;
/*<thisrel this+0xbc>*/ /*|0x4|*/ unsigned long ImageSubsystemMinorVersion;
/*<thisrel this+0xc0>*/ /*|0x4|*/ unsigned long ImageProcessAffinityMask;
/*<thisrel this+0xc4>*/ /*|0x88|*/ unsigned long GdiHandleBuffer[34];
/*<thisrel this+0x14c>*/ /*|0x4|*/ void (PostProcessInitRoutine*)();
/*<thisrel this+0x150>*/ /*|0x4|*/ void* TlsExpansionBitmap;
/*<thisrel this+0x154>*/ /*|0x80|*/ unsigned long TlsExpansionBitmapBits[32];
/*<thisrel this+0x1d4>*/ /*|0x4|*/ unsigned long SessionId;
/*<thisrel this+0x1d8>*/ /*|0x8|*/ union _ULARGE_INTEGER AppCompatFlags;
/*<thisrel this+0x1e0>*/ /*|0x8|*/ union _ULARGE_INTEGER AppCompatFlagsUser;
/*<thisrel this+0x1e8>*/ /*|0x4|*/ void* pShimData;
/*<thisrel this+0x1ec>*/ /*|0x4|*/ void* AppCompatInfo;
/*<thisrel this+0x1f0>*/ /*|0x8|*/ struct _UNICODE_STRING CSDVersion;
/*<thisrel this+0x1f8>*/ /*|0x4|*/ struct _ACTIVATION_CONTEXT_DATA* ActivationContextData;
/*<thisrel this+0x1fc>*/ /*|0x4|*/ struct _ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap;
/*<thisrel this+0x200>*/ /*|0x4|*/ struct _ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData;
/*<thisrel this+0x204>*/ /*|0x4|*/ struct _ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap;
/*<thisrel this+0x208>*/ /*|0x4|*/ unsigned long MinimumStackCommit;
/*<thisrel this+0x20c>*/ /*|0x4|*/ void** FlsCallback;
/*<thisrel this+0x210>*/ /*|0x8|*/ struct _LIST_ENTRY FlsListHead;
/*<thisrel this+0x218>*/ /*|0x4|*/ void* FlsBitmap;
/*<thisrel this+0x21c>*/ /*|0x10|*/ unsigned long FlsBitmapBits[4];
/*<thisrel this+0x22c>*/ /*|0x4|*/ unsigned long FlsHighIndex;

// base classes -----------------------------------

// friends ----------------------------------------

// static functions -------------------------------

// non-virtual functions --------------------------

// virtual functions ------------------------------
};
// <size 0x230>

Quote:

Originally Posted by loman

hi,
I would like to know how some programs such as LordPE displays dll loaded by an executable, what API are called? thanks in advance

Code:

#include <tlhelp32.h> 

  DWORD currentProcessId = ::GetCurrentProcessId();
  HANDLE h = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, currentProcessId); 
  if (h != INVALID_HANDLE_VALUE) 
  {
    MODULEENTRY32 me32 = {0}; 
    me32.dwSize = sizeof MODULEENTRY32; 

    for (BOOL b = ::Module32First(h, &me32); b; b = ::Module32Next(h, &me32))
    { 
       // do something with me32
    }
    ::CloseHandle(h); 
  }