static void hookAllModules(void) { HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId()); if (hModuleSnap == INVALID_HANDLE_VALUE) { return; } MODULEENTRY32 me32; me32.dwSize = sizeof me32; if (VERBOSITY > 0) { static bool first = true; if (first) { if (Module32First(hModuleSnap, &me32)) { debugPrintf(" modules:\n"); do { debugPrintf(" %s\n", me32.szExePath); } while (Module32Next(hModuleSnap, &me32)); } first = false; } } if (Module32First(hModuleSnap, &me32)) { do { hookModule(me32.hModule, me32.szExePath); } while (Module32Next(hModuleSnap, &me32)); } CloseHandle(hModuleSnap); }
/** * Inspect all loaded modules for the specified process * @param dwProcessId Process id */ void VBoxServicePageSharingInspectModules(DWORD dwProcessId) { HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); if (hSnapshot == INVALID_HANDLE_VALUE) { printf("VBoxServicePageSharingInspectModules: CreateToolhelp32Snapshot failed with %d\n", GetLastError()); return; } printf("VBoxServicePageSharingInspectModules\n"); MODULEENTRY32 ModuleInfo; BOOL bRet; ModuleInfo.dwSize = sizeof(ModuleInfo); bRet = Module32First(hSnapshot, &ModuleInfo); do { /** todo when changing this make sure VBoxService.exe is excluded! */ char *pszDot = strrchr(ModuleInfo.szModule, '.'); if ( pszDot && (pszDot[1] == 'e' || pszDot[1] == 'E')) continue; /* ignore executables for now. */ VBoxServicePageSharingCheckModule(&ModuleInfo); } while (Module32Next(hSnapshot, &ModuleInfo)); CloseHandle(hSnapshot); }
QString CCrashStack::GetModuleByRetAddr(PBYTE Ret_Addr, PBYTE & Module_Addr) { MODULEENTRY32 M = {sizeof(M)}; HANDLE hSnapshot; wchar_t Module_Name[MAX_PATH] = {0}; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0); if ((hSnapshot != INVALID_HANDLE_VALUE) && Module32First(hSnapshot, &M)) { do { if (DWORD(Ret_Addr - M.modBaseAddr) < M.modBaseSize) { lstrcpyn(Module_Name, M.szExePath, MAX_PATH); Module_Addr = M.modBaseAddr; break; } } while (Module32Next(hSnapshot, &M)); } CloseHandle(hSnapshot); QString sRet = QString::fromWCharArray(Module_Name); return sRet; }
BOOL ScanDllInProcess(DWORD dwPID, CString strDllName) { BOOL bRet = FALSE; MODULEENTRY32 pe32; // 在使用这个结构之前,先设置它的大小 pe32.dwSize = sizeof(pe32); // 给进程内所有模块拍一个快照 //276为某进程的ID HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID); if(hProcessSnap == INVALID_HANDLE_VALUE) { //建立快照失败 return bRet; } // 遍历进程快照,轮流显示每个进程的信息 BOOL bMore = Module32First(hProcessSnap, &pe32); while(bMore) { // printf("\n[DLL NAME]\t%s\n",pe32.szModule); // printf("[DLL PATH]\t%s\n",pe32.szExePath); if ( strDllName.CompareNoCase(pe32.szModule) == 0) { bRet = TRUE; break; } bMore = Module32Next(hProcessSnap, &pe32); } // 不要忘记清除掉snapshot对象 CloseHandle(hProcessSnap); return bRet; }
static gpointer find_in_any_module_using_toolhelp (const gchar *symbol_name) { HANDLE snapshot; MODULEENTRY32 me32; gpointer p; if ((snapshot = CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, 0)) == (HANDLE) -1) return NULL; me32.dwSize = sizeof (me32); p = NULL; if (Module32First (snapshot, &me32)) { do { if ((p = GetProcAddress (me32.hModule, symbol_name)) != NULL) break; } while (Module32Next (snapshot, &me32)); } CloseHandle (snapshot); return p; }
uint32_t GetModuleBase(DWORD procId, char* modName) { HANDLE snapshot; MODULEENTRY32 modInfo; snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, procId); modInfo.dwSize = sizeof(MODULEENTRY32); if (Module32First(snapshot, &modInfo)) { // printf("mod %s\n", modInfo.szModule); if (!strcmp(modInfo.szModule, modName)) { CloseHandle(snapshot); return (uint32_t)modInfo.modBaseAddr; } while (Module32Next(snapshot, &modInfo)) { // printf("mod %s\n", modInfo.szModule); if (!strcmp(modInfo.szModule, modName)) { CloseHandle(snapshot); return (uint32_t)modInfo.modBaseAddr; } } } CloseHandle(snapshot); return 0; }
// detect which exe it is (installer, sumatra static or sumatra with dlls) static ExeType DetectExeType() { ExeType exeType = ExeSumatraStatic; HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId()); if (snap == INVALID_HANDLE_VALUE) { plog("DetectExeType(): failed to detect type"); return exeType; } MODULEENTRY32 mod; mod.dwSize = sizeof(mod); BOOL cont = Module32First(snap, &mod); while (cont) { WCHAR *name = mod.szModule; if (str::EqI(name, L"libmupdf.dll")) { exeType = ExeSumatraLib; break; } if (str::StartsWithI(name, L"SumatraPDF-") && str::EndsWithI(name, L"install.exe")) { exeType = ExeInstaller; break; } cont = Module32Next(snap, &mod); } CloseHandle(snap); return exeType; }
BOOL GetPsModuleNameByAddress( ULONG ProcessId, ULONG pfnAddress, LPTSTR pszModuleName, ULONG cbszModuleName ) { MODULEENTRY32 ModuleEntry; HANDLE hSnapShot; BOOL bFlag = FALSE; hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessId); ModuleEntry.dwSize = sizeof(MODULEENTRY32); bFlag = Module32First(hSnapShot, &ModuleEntry); while (bFlag) { if ((pfnAddress >= (ULONG)ModuleEntry.modBaseAddr) && (pfnAddress <= (ULONG)ModuleEntry.modBaseAddr + ModuleEntry.modBaseSize)) { wcscpy_s(pszModuleName, cbszModuleName, ModuleEntry.szModule); CloseHandle(hSnapShot); return TRUE; } bFlag = Module32Next(hSnapShot, &ModuleEntry); } CloseHandle(hSnapShot); return FALSE; }
//--------------------------------------------------------------------------- void ScanMod(DWORD pid, DWORD* list) { MainForm->lb_mod->Items->Clear(); MainForm->clb_sec->Items->Clear(); memset(mod_list, 0, sizeof(mod_list)); BOOL working = 0; MODULEENTRY32 me32 = {0}; me32.dwSize = sizeof(MODULEENTRY32); unsigned int i = 0; HANDLE hSnapshot; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid); if (hSnapshot) { working = Module32First(hSnapshot, &me32); while (working) { MainForm->lb_mod->Items->Add(UnicodeString(me32.szModule)); list[i] = (DWORD)me32.modBaseAddr; working = Module32Next(hSnapshot,&me32); i++; } CloseHandle(hSnapshot); } return; }
bool QtProcessFinder::processUsesQt(int pid) { HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; // Take a snapshot of all modules in the specified process. hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid); if (hModuleSnap == INVALID_HANDLE_VALUE) { qWarning("CreateToolhelp32Snapshot (of modules)"); return false; } // Set the size of the structure before using it. me32.dwSize = sizeof(MODULEENTRY32); // Retrieve information about the first module, // and exit if unsuccessful if (!Module32First(hModuleSnap, &me32)) { qWarning("Module32First"); // show cause of failure CloseHandle(hModuleSnap); // clean the snapshot object return false; } // Now walk the module list of the process, // and display information about each module do { if (wcsncmp(me32.szModule, L"Qt5", 3) == 0) { return true; } } while (Module32Next(hModuleSnap, &me32)); CloseHandle(hModuleSnap); return false; }
BOOL CInjectDLL::Uninject(const DWORD dwRemoteProcessID, const LPCTSTR& lpwszRemoteDllFullPath) { std::wstring wstrRemoteDllFullPath = lpwszRemoteDllFullPath; HANDLE hSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwRemoteProcessID); MODULEENTRY32 Me32 = {0}; Me32.dwSize = sizeof(MODULEENTRY32); BOOL bRet = ::Module32First(hSnap, &Me32); while (bRet) { if (wcscmp(Me32.szExePath, wstrRemoteDllFullPath.c_str()) == 0) { break; } bRet = Module32Next(hSnap, &Me32); } CloseHandle(hSnap); HANDLE hRemoteProgress = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwRemoteProcessID); if (hRemoteProgress == NULL) { //wprintf_s(_T("OpenProcess fail\n")); return FALSE; } FARPROC pfnFunAddr = ::GetProcAddress(::GetModuleHandle(_T("Kernel32")),"FreeLibrary"); ::CreateRemoteThread(hRemoteProgress, NULL, 0, (LPTHREAD_START_ROUTINE) pfnFunAddr, Me32.hModule, 0, NULL); ::CloseHandle(hRemoteProgress); return TRUE; }
// Enumerate the modules we have running and load their symbols. // Return true if successful. bool EnumAndLoadModuleSymbols(HANDLE hProcess, DWORD pid ) { HANDLE hSnapShot; MODULEENTRY32 me = { sizeof me }; bool keepGoing; hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pid ); if ( hSnapShot == (HANDLE) -1 ) return false; keepGoing = Module32First( hSnapShot, &me ); while ( keepGoing ) { // here, we have a filled-in MODULEENTRY32. Use it to load symbols. // Don't check errors, if we can't load symbols for some modules we just // won't be able to do symbolic reports on them. StrAnsi staExePath(me.szExePath); StrAnsi staModule(me.szModule); // SymLoadModule( hProcess, 0, me.szExePath, me.szModule, (DWORD) me.modBaseAddr, // me.modBaseSize); ::SymLoadModule( hProcess, 0, const_cast<char *>(staExePath.Chars()), const_cast<char *>(staModule.Chars()), (DWORD)me.modBaseAddr, me.modBaseSize); keepGoing = Module32Next( hSnapShot, &me ); } CloseHandle( hSnapShot ); return true; }
LPMODULEENTRY32 GetModuleInfo(DWORD dwPid) { static MODULEENTRY32 s_sModule; HANDLE hSnapshot; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPid); if( hSnapshot == INVALID_HANDLE_VALUE ) { printf("CreateToolhelp32Snapshot failed: %i\n",GetLastError()); return NULL; } s_sModule.dwSize = sizeof(MODULEENTRY32); if( Module32First(hSnapshot,&s_sModule) == FALSE ) { CloseHandle(hSnapshot); printf("Module32First failed: %i\n",GetLastError()); return NULL; } do { if( strcmp("League of Legends.exe",s_sModule.szModule) == 0 ) { CloseHandle(hSnapshot); return &s_sModule; } }while(Module32Next(hSnapshot,&s_sModule)); printf("Couldn't find League of Legends module!\n"); CloseHandle(hSnapshot); return NULL; }
// すべてのモジュールに対してAPIフックを行う関数 void CAPIHook::ReplaceIATEntryInAllMods( PCSTR pszModuleName, PROC pfnCurrent, PROC pfnNew) { // 自分自身(API_Hook_Lib.dll)のモジュールハンドルを取得 MEMORY_BASIC_INFORMATION mbi; if(VirtualQuery(ReplaceIATEntryInAllMods, &mbi, sizeof(mbi)) == 0) return; HMODULE hModThisMod = (HMODULE) mbi.AllocationBase; // モジュールリストを取得 HANDLE hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId()); if(hModuleSnap == INVALID_HANDLE_VALUE) return; MODULEENTRY32 me; me.dwSize = sizeof(me); BOOL bModuleResult = Module32First(hModuleSnap, &me); // それぞれのモジュールに対してReplaceIATEntryInOneModを実行 // ただし自分自身(API_Hook_Lib.dll)には行わない while(bModuleResult) { if(me.hModule != hModThisMod) ReplaceIATEntryInOneMod(pszModuleName, pfnCurrent, pfnNew, me.hModule); bModuleResult = Module32Next(hModuleSnap, &me); } CloseHandle(hModuleSnap); }
vector<MODULEENTRY32> CProcessTool::GetProcessModules(DWORD dwPID) { HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; VCTMOD vctMod; hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPID); memset(&me32,0,sizeof(me32)); if( hModuleSnap == INVALID_HANDLE_VALUE) { LOG::printError(TEXT("CreateToolhelp32Snapshot (od modules)")); return vctMod; } me32.dwSize = sizeof(MODULEENTRY32); if(!Module32First(hModuleSnap,&me32)) { LOG::printError(TEXT("Module32First")); CloseHandle(hModuleSnap); return vctMod; } do { vctMod.push_back(me32); } while (Module32Next(hModuleSnap,&me32)); CloseHandle(hModuleSnap); return vctMod; }
// Helper function bool FindModuleByAddress(const BYTE* lpAddress, LPWSTR pszModule, int cchMax) { bool bFound = false; HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId()); if (hSnap != INVALID_HANDLE_VALUE) { MODULEENTRY32 mi = {sizeof(mi)}; if (Module32First(hSnap, &mi)) { do { if ((lpAddress >= mi.modBaseAddr) && (lpAddress < (mi.modBaseAddr + mi.modBaseSize))) { bFound = true; if (pszModule) lstrcpyn(pszModule, mi.szExePath, cchMax); break; } } while (Module32Next(hSnap, &mi)); } CloseHandle(hSnap); } if (!bFound && pszModule) *pszModule = 0; return bFound; }
BOOL CheckDllInProcess(DWORD dwPID, LPCTSTR szDllPath) { BOOL bMore = FALSE; HANDLE hSnapshot = INVALID_HANDLE_VALUE; MODULEENTRY32 me = { sizeof(me), }; if (INVALID_HANDLE_VALUE == (hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID))) { wsprintf(buf, L"CheckDllInProcess() : CreateToolhelp32Snapshot(%d) failed!!! [%d]\n", dwPID, GetLastError()); MessageBox(NULL, buf, L"error", MB_OK); return FALSE; } bMore = Module32First(hSnapshot, &me); for (; bMore; bMore = Module32Next(hSnapshot, &me)) { if (!_tcsicmp(me.szModule, szDllPath) || !_tcsicmp(me.szExePath, szDllPath)) { CloseHandle(hSnapshot); return TRUE; } } CloseHandle(hSnapshot); return FALSE; }
int CATCodeMgr::GetAllLoadedModules( PMODULEENTRY32 pRetBuf, int maxCnt ) { int curCnt = 0; // 반환 버퍼 초기화 ZeroMemory(pRetBuf, sizeof(PMODULEENTRY32)*maxCnt); // 프로세스 스냅샷 핸들을 생성 HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId()); if(INVALID_HANDLE_VALUE == hModuleSnap) return 0; pRetBuf[curCnt].dwSize = sizeof(MODULEENTRY32); BOOL bExist = Module32First(hModuleSnap, &pRetBuf[curCnt]); while( bExist == TRUE && curCnt < maxCnt ) { curCnt++; pRetBuf[curCnt].dwSize = sizeof(MODULEENTRY32); bExist = Module32Next(hModuleSnap, &pRetBuf[curCnt]); } CloseHandle (hModuleSnap); return curCnt; }
//--------------------------------------------------------------------------- //ReplaceIATEntryInAllModules void WINAPI TAPIHook::ReplaceIATEntryInAllModules(PCSTR DllName, PROC pfnCurrent,PROC pfnNew,bool IsHookSelfDll) { // 是否Hook DLL本身的相应函数。对一些系统函数,如GetProcAddress、LoadLibraryA、 // LoadLibraryW、LoadLibraryEx、LoadLibraryExW这些函数,DLL本身是不能对它们进 // 行Hook的,否则会引起死循环。 HMODULE hThisModule = NULL; hThisModule = (IsHookSelfDll) ? NULL : ModuleFromAddress(ReplaceIATEntryInAllModules); ///// HANDLE hSnapshot; MODULEENTRY32 ModEntry32; DWORD dwProcessId; BOOL Result; dwProcessId = GetCurrentProcessId(); hSnapshot = CreateToolhelp32Snapshot((DWORD)TH32CS_SNAPMODULE,dwProcessId); ModEntry32.dwSize = sizeof(MODULEENTRY32); Result = Module32First(hSnapshot,&ModEntry32); while(Result) { if(ModEntry32.hModule != hThisModule) ReplaceIATEntryInModule(DllName,pfnCurrent,pfnNew,ModEntry32.hModule); Result = Module32Next(hSnapshot,&ModEntry32); } CloseHandle(hSnapshot); }
BOOL GetProcessModule (DWORD dwPID, DWORD dwModuleID, LPMODULEENTRY32 lpMe32, DWORD cbMe32) { BOOL bRet = FALSE; BOOL bFound = FALSE; HANDLE hModuleSnap = NULL; MODULEENTRY32 me32 = {0}; hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID); if (hModuleSnap == (HANDLE)-1) return (FALSE); me32.dwSize = sizeof(MODULEENTRY32); if (Module32First(hModuleSnap, &me32)) { do { if (me32.th32ModuleID == dwModuleID) { CopyMemory (lpMe32, &me32, cbMe32); bFound = TRUE; } } while (!bFound && Module32Next(hModuleSnap, &me32)); bRet = bFound; } else bRet = FALSE; CloseHandle (hModuleSnap); return (bRet); }
DWORD GetModuleBase(const DWORD dwProcessId, const char *szModuleName) { HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, dwProcessId); if (!hSnap) { return 0; } MODULEENTRY32 me; me.dwSize = sizeof(MODULEENTRY32); DWORD dwReturn = 0; if (Module32First(hSnap, &me)) { while (Module32Next(hSnap, &me)) { printf("%s %x\n", me.szModule, me.modBaseAddr); if (lstrcmpi(me.szModule, szModuleName) == 0) { dwReturn = (DWORD)me.modBaseAddr; break; } } } CloseHandle(hSnap); return dwReturn; }
void APIHook::ReplaceIATInOneMod(PROC pfnOrig, PROC pfnNew) { HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId()); MODULEENTRY32 me32 = {sizeof(MODULEENTRY32)}; Module32First(hSnapshot, &me32); HMODULE hThisMod = GetModuleHandleA(m_strCurrentModule.data()); do { if (me32.hModule == hThisMod) { continue; } ULONG ulSize; PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL; __try { pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(me32.hModule, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize); } __except (EXCEPTION_EXECUTE_HANDLER) { } if (pImportDesc == NULL) continue; for (; pImportDesc->Name; pImportDesc++) { PSTR pszName = (PSTR)((PBYTE)me32.hModule + pImportDesc->Name); //cout << pszName << endl; if (lstrcmpiA(m_strModule.data(), pszName) == 0) { PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE)me32.hModule + pImportDesc->FirstThunk); for (; pThunk->u1.Function; pThunk++) { // Get the address of the function address PROC* ppfn = (PROC*) &pThunk->u1.Function; // Is this the function we're looking for? BOOL bFound = (*ppfn == pfnOrig); if (bFound) { //PROC pfnNew = (PROC)Hook_ExitProcess; if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(char*), NULL) && ERROR_NOACCESS == GetLastError()) { DWORD dwOldProtect; if (VirtualProtect(ppfn, sizeof(char*), PAGE_WRITECOPY, &dwOldProtect)) { WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(char*), NULL); VirtualProtect(ppfn, sizeof(char*), dwOldProtect, &dwOldProtect); } } CloseHandle(hSnapshot); return ; } } } } } while (Module32Next(hSnapshot, &me32)); CloseHandle(hSnapshot); }
// すべてのモジュールに対してAPIフックを行う関数 bool ReplaceIATEntryInAllMods( PCSTR pszModuleName, PROC pfnCurrent, PROC pfnNew, HMODULE hmodCaller) { if( hmodCaller ) { return ReplaceIATEntryInOneMod(pszModuleName, pfnCurrent, pfnNew, hmodCaller); } else { bool bResult = false; // モジュールリストを取得 HANDLE hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId()); if(hModuleSnap == INVALID_HANDLE_VALUE) { return bResult; } MODULEENTRY32 me; me.dwSize = sizeof(me); BOOL bModuleResult = Module32First(hModuleSnap, &me); // それぞれのモジュールに対してReplaceIATEntryInOneModを実行 while(bModuleResult) { // OutputDebugString(">>"); // OutputDebugString(me.szModule); // OutputDebugString("\n"); if( ReplaceIATEntryInOneMod(pszModuleName, pfnCurrent, pfnNew, me.hModule) ) { bResult = true; } bModuleResult = Module32Next(hModuleSnap, &me); } CloseHandle(hModuleSnap); return bResult; } }
BOOL CEnumDllDlg::OnInitDialog() { CDialogEx::OnInitDialog(); CRect rect; m_list.GetWindowRect(&rect); m_list.SetExtendedStyle(m_list.GetExtendedStyle() | LVS_EX_GRIDLINES | LVS_EX_FULLROWSELECT); m_list.InsertColumn(0, _T("DLL名"), LVCFMT_LEFT, rect.Width() / 5, 0); m_list.InsertColumn(1, _T("DLL路径"), LVCFMT_LEFT, 15 * rect.Width() / 20, 1); MODULEENTRY32 module = { 0 }; module.dwSize = sizeof(MODULEENTRY32); HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, m_pID); if (hSnap != INVALID_HANDLE_VALUE) { BOOL ret = Module32First(hSnap, &module); int item = 0; CString s; while (ret) { m_list.InsertItem(item, module.szModule); m_list.SetItemText(item, 1, module.szExePath); ++item; ret = Module32Next(hSnap, &module); } CloseHandle(hSnap); } return TRUE; // return TRUE unless you set the focus to a control // 异常: OCX 属性页应返回 FALSE }
DWORD GetModuleSize(LPSTR strModuleName) { MODULEENTRY32 lpme = { 0 }; DWORD dwSize = 0; DWORD PID = GetCurrentProcessId(); BOOL isMod = 0; char chModName[256]; strcpy_s(chModName, 255, strModuleName); _strlwr_s(chModName, 255); HANDLE hSnapshotModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID); if (hSnapshotModule) { lpme.dwSize = sizeof(lpme); isMod = Module32First(hSnapshotModule, &lpme); while (isMod) { if (strcmp(_strlwr(lpme.szExePath), chModName)) { dwSize = (DWORD)lpme.modBaseSize; CloseHandle(hSnapshotModule); return dwSize; } isMod = Module32Next(hSnapshotModule, &lpme); } } CloseHandle(hSnapshotModule); return 0; }
void CheckModule() { MODULEENTRY32 ME32; HANDLE hProcessSnap; int ProcLoop; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId()); ME32.dwSize = sizeof(ME32); ProcLoop = Module32First(hProcessSnap, &ME32); while(ProcLoop){ ProcLoop = Module32Next(hProcessSnap, &ME32); char ModulePath[MAX_PATH]; int len = GetModuleFileName(ME32.hModule, ModulePath, MAX_PATH); if(len != 0){ for(int i = len - 1; i >= 0; i --) { if (ModulePath[i] == '\\') { if (cmpi(&ModulePath[i+1], "cfgdll.dll") == 0) { KillMe(3); } break; } } } } CloseHandle(hProcessSnap); }
static int DllInit(void) { #if defined(_WIN32_WINNT) union { int(*f)(void); BYTE *p; } t = { DllInit }; HANDLE hModuleSnap = INVALID_HANDLE_VALUE; IMAGE_DOS_HEADER *dos_header; IMAGE_NT_HEADERS *nt_headers; MODULEENTRY32 me32 = {sizeof(me32)}; hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0); if (hModuleSnap != INVALID_HANDLE_VALUE && Module32First(hModuleSnap,&me32)) do { if (t.p >= me32.modBaseAddr && t.p < me32.modBaseAddr+me32.modBaseSize) { dos_header=(IMAGE_DOS_HEADER *)me32.modBaseAddr; if (dos_header->e_magic==IMAGE_DOS_SIGNATURE) { nt_headers=(IMAGE_NT_HEADERS *) ((BYTE *)dos_header+dos_header->e_lfanew); if (nt_headers->Signature==IMAGE_NT_SIGNATURE && me32.modBaseAddr!=(BYTE*)nt_headers->OptionalHeader.ImageBase) OPENSSL_NONPIC_relocated=1; } break; } } while (Module32Next(hModuleSnap,&me32)); if (hModuleSnap != INVALID_HANDLE_VALUE) CloseHandle(hModuleSnap); #endif OPENSSL_cpuid_setup(); return 0; }
HMODULE GetRemoteModuleHandle( char *szModuleName, HANDLE hProcess, bool bUsePath ) { HANDLE tlh = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetProcessId( hProcess ) ); MODULEENTRY32 modEntry; modEntry.dwSize = sizeof( MODULEENTRY32 ); Module32First( tlh, &modEntry ); do { string comp; comp.clear(); if(bUsePath){ comp = modEntry.szExePath; } else { comp = modEntry.szModule; } if( !strcmp( szModuleName, comp.c_str() ) ) { CloseHandle( tlh ); return modEntry.hModule; } } while(Module32Next( tlh, &modEntry ) ); CloseHandle( tlh ); return NULL; }
BOOL HookAPIAllMod( PHookFn Hooks, BOOL restore ) { HANDLE hModuleSnap; MODULEENTRY32 me; BOOL fOk; // Take a snapshot of all modules in the current process. hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId() ); if (hModuleSnap == INVALID_HANDLE_VALUE) return FALSE; // Fill the size of the structure before using it. me.dwSize = sizeof(MODULEENTRY32); // Walk the module list of the modules. for (fOk = Module32First( hModuleSnap, &me ); fOk; fOk = Module32Next( hModuleSnap, &me )) { // We don't hook functions in our own module. if (me.hModule != hDllInstance && me.hModule != hKernel) { // Hook this function in this module. if (!HookAPIOneMod( me.hModule, Hooks, restore )) { CloseHandle( hModuleSnap ); return FALSE; } } } CloseHandle( hModuleSnap ); return TRUE; }
std::vector<HMODULE> Ten18::Util::EnumerateModules() { std::vector<HMODULE> modules; auto snapshot = MakeScoped(CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, 0), [] (HANDLE snapshot) { Ten18_HOPE_FOR.True = CloseHandle(snapshot); }); Ten18_EXPECT.Not(INVALID_HANDLE_VALUE) = static_cast<HANDLE>(snapshot); MODULEENTRY32 me = {}; me.dwSize = sizeof(me); const auto minSizeOfInterest = FIELD_OFFSET(MODULEENTRY32, hModule) + sizeof(me.hModule); if (Module32First(snapshot, &me)) { do { if (me.dwSize >= minSizeOfInterest) modules.push_back(me.hModule); Format("Module: %0", me.szModule).DebugOut(); me.dwSize = sizeof(me); } while (Module32Next(snapshot, &me)); } return modules; }