Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //http://waleedassar.blogspot.com/
- //http://www.twitter.com/waleedassar
- //The following 64-bit code enumerate all loaded modules in a 64-bit process.
- //Compile with Microsoft Linker.
- #include "stdafx.h"
- #include "windows.h"
- #include "winternl.h"
- #include "stdio.h"
- #define MemorySectionName 0x2
- #define MemoryBasicVlmInformation 0x3
- struct MEMORY_BASIC_VLM_INFORMATION
- {
- unsigned long long ImageBase;
- unsigned long blah[0x2];
- unsigned long long SizeOfImage;
- };
- extern "C"
- {
- int __stdcall ZwQueryVirtualMemory(HANDLE,void*,unsigned long long,void*,unsigned long long,unsigned long long*);
- }
- int main(int argc, char* argv[])
- {
- SYSTEM_INFO SI={0};
- GetSystemInfo(&SI);
- unsigned long long min_addr=(unsigned long long)(SI.lpMinimumApplicationAddress);
- unsigned long long max_addr=(unsigned long long)(SI.lpMaximumApplicationAddress);
- //allocate one page, to receive image file name
- UNICODE_STRING* p=(UNICODE_STRING*)LocalAlloc(LMEM_ZEROINIT,0x1000);
- unsigned long long i=0;
- for(i=min_addr;i<=max_addr;i+=(SI.dwPageSize))
- {
- MEMORY_BASIC_INFORMATION MBI={0};
- if(VirtualQuery((void*)i,&MBI,sizeof(MBI)))
- {
- if(MBI.Type==MEM_IMAGE)
- {
- ZwQueryVirtualMemory(GetCurrentProcess(),
- (void*)i,MemorySectionName,p,0x1000,0);
- wprintf(L"Module: %s\r\n",p->Buffer);
- unsigned long long out=0;
- MEMORY_BASIC_VLM_INFORMATION MBVI={0};
- ZwQueryVirtualMemory(GetCurrentProcess(),
- (void*)i,MemoryBasicVlmInformation,&MBVI,sizeof(MBVI),&out);
- unsigned long long IB=MBVI.ImageBase;
- wprintf(L" at:%I64x",IB);
- unsigned long long szImage=MBVI.SizeOfImage;
- wprintf(L" size:%I64x\r\n",szImage);
- i+=szImage;
- }
- }
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
