API tools faq
paste
captmicro

listing a remote processes module

captmicro
Sep 27th, 2015
390
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 1.21 KB | None | 0 0
raw download clone embed print report
  1. void remote_listmodules(HANDLE proc, void *_peb)
  2. {
  3.     PEB peb;
  4.         PEB_LDR_DATA LdrData;
  5.     DWORD bytesRead = 0;
  6.     void *flink;
  7.     void *cmod;
  8.     void *_BaseAddress = 0;
  9.     void *_BaseDllName = 0;
  10.  
  11.     if (_peb == NULL) return;
  12.  
  13.         // Get remote PEB information
  14.         memset((void *)&peb, 0, sizeof(PEB));
  15.         ReadProcessMemory(proc, (LPVOID)_peb, &peb, sizeof(PEB), &bytesRead);
  16.        
  17.         // Get LdrData
  18.         memset((void *)&LdrData, 0, sizeof(PEB_LDR_DATA));
  19.         ReadProcessMemory(proc, (LPVOID)peb->LoaderData, &LdrData, sizeof(PEB_LDR_DATA), &bytesRead);
  20.  
  21.         // Get first link
  22.         flink = LdrData.InLoadOrderModuleList.Flink;
  23.         cmod = flink;
  24.  
  25.     do
  26.     {
  27.                 // Get module base address:
  28.                 ReadProcessMemory(proc, (LPVOID)((DWORD)cmod+0x10), &_BaseAddress, sizeof(DWORD), &bytesRead);
  29.                 // I'll leave getting the module name as an exercise for the capt. micro!
  30.         if (_BaseAddress != 0)
  31.             wprintf(L"%s @ 0x%X\n", (WCHAR*)_BaseDllName, (ULONG)_BaseAddress);
  32.                 // Get pointer to next item
  33.         ReadProcessMemory(proc, (LPVOID)cmod, &cmod, sizeof(LPVOID), &bytesRead);
  34.     } while (cmod != NULL && cmod != flink);
  35.  
  36.     return;
  37. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!