uint32_t query_information_process(HANDLE process_handle,
uint32_t information_class, void *buf, uint32_t length)
{
assert(pNtQueryInformationProcess != NULL,
"pNtQueryInformationProcess is NULL!", 0);
ULONG return_length;
if(NT_SUCCESS(pNtQueryInformationProcess(process_handle,
information_class, buf, length, &return_length)) != FALSE) {
return return_length;
}
return 0;
}
BOOL GetInternalProcessData(HANDLE hProcess, ModuleData* Data, PROCESS_PARAMETERS* &pProcessParams, char*&pEnd, bool bFirstModule=false)
{
DWORD ret;
// From ntddk.h
PROCESS_BASIC_INFORMATION processInfo;
if (pNtQueryInformationProcess(hProcess, ProcessBasicInformation, &processInfo, sizeof(processInfo), &ret))
return FALSE;
char *p4;
//FindModule, obtained from PSAPI.DLL
PVOID hModule;
PEB peb;
PEB_LDR_DATA pld;
if (ReadProcessMemory(hProcess, processInfo.PebBaseAddress, &peb, sizeof(peb), 0) &&
ReadProcessMemory(hProcess, peb.LoaderData, &pld, sizeof(pld), 0))
{
//pEnd = (void *)((void *)peb.LoaderData+((void *)&pld.InMemoryOrderModuleList-(void *)&pld));
hModule = peb.ImageBaseAddress;
pProcessParams = peb.ProcessParameters;
pEnd = (char *)peb.LoaderData+sizeof(pld)-sizeof(LIST_ENTRY)*2;
p4 = (char *)pld.InMemoryOrderModuleList.Flink;
while (p4)
{
if (p4==pEnd || !ReadProcessMemory(hProcess, p4-sizeof(PVOID)*2, Data, sizeof(*Data), 0))
return FALSE;
if (bFirstModule)
return TRUE;
if (Data->BaseAddress==hModule) break;
p4 = (char *)Data->InMemoryOrderModuleList.Flink;
}
}
return TRUE;
}
