开发者

How can one obtain the "name" of a process start address as done in Process Explorer?

问答 作者:

Okay, I'm writing an application designed to enumerate threads in a given process, just as Process Explorer d开发者_JS百科oes. I'm well aware that this is potentially going to break between different windows versions, because it relies on "unofficial" APIs like NtQuerySystemInformation, and I'm perfectly fine with that.

I already have the code to obtain the base address of a given thread. I'd like to now turn that into something like what process explorer does, i.e. "ntdll.dll!EtwDeliverDataBlock+0x453". I don't actually need the function name or offset, just the module name.

How can I do this?

If all you need is the module name, the simplest way is to use EnumProcessModules to get a list of all the loaded the modules, then use GetModuleInformation on each of them. One of the things that GetModuleInformation returns is the base address where that module is loaded. Technically, the integer value of the HMODULE itself is the same as the base address, but that seems a little fragile to me...

Then it's simply a matter of finding the module with a base address just below the thread's current (or start) address.

Oh, and to get the actual name of the module, there's GetModuleBaseName.

You can use GetModuleHandleEx with the GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS flag to get a handle to a module given an address. You can then use GetModuleBaseName to get the name of the module.

Edit: You'll probably want to use the GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT flag as well, so you don't increase the reference count of the module.

You can use that code to get module handle (it is faster than GetModuleHandleEx) and then call GetModuleBaseName.

HMODULE GetCallingModule( LPCVOID pCaller ) const
{
    HMODULE hModule = NULL;
    MEMORY_BASIC_INFORMATION mbi;
    if ( VirtualQuery(pCaller, &mbi, sizeof(MEMORY_BASIC_INFORMATION)) == sizeof(MEMORY_BASIC_INFORMATION) )
    {
        // the allocation base is the beginning of a PE file 
        hModule = (HMODULE) mbi.AllocationBase;
    }
    return hModule;
}

继续阅读:kernelprocesswindows

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9