size_t Native::EnumModulesT( Native::listModules& result ) { typename _PEB_T2<T>::type peb = { { { 0 } } }; _PEB_LDR_DATA2<T> ldr = { 0 }; result.clear(); if (getPEB( &peb ) != 0 && ReadProcessMemoryT( peb.Ldr, &ldr, sizeof(ldr), 0 ) == STATUS_SUCCESS) { for (T head = ldr.InLoadOrderModuleList.Flink; head != (peb.Ldr + FIELD_OFFSET( _PEB_LDR_DATA2<T>, InLoadOrderModuleList )); ReadProcessMemoryT( static_cast<ptr_t>(head), &head, sizeof(head), 0 )) { ModuleData data; wchar_t localPath[512] = { 0 }; _LDR_DATA_TABLE_ENTRY_BASE<T> localdata = { { 0 } }; ReadProcessMemoryT( head, &localdata, sizeof(localdata), 0 ); ReadProcessMemoryT( localdata.FullDllName.Buffer, localPath, localdata.FullDllName.Length, 0 ); data.baseAddress = localdata.DllBase; data.size = localdata.SizeOfImage; data.fullPath = Utils::ToLower( localPath ); data.name = Utils::StripPath( data.fullPath ); data.manual = false; data.type = std::is_same<T, DWORD>::value ? mt_mod32 : mt_mod64; result.emplace_back( data ); } } return result.size(); }
std::vector<ModuleDataPtr> Native::EnumModulesT() { NTSTATUS status = STATUS_SUCCESS; _PEB_T<T> peb = { }; _PEB_LDR_DATA2_T<T> ldr = { }; std::vector<ModuleDataPtr> result; if (getPEB( &peb ) != 0 && ReadProcessMemoryT( peb.Ldr, &ldr, sizeof( ldr ), 0 ) == STATUS_SUCCESS) { for (T head = ldr.InLoadOrderModuleList.Flink; NT_SUCCESS( status ) && head != (peb.Ldr + FIELD_OFFSET( _PEB_LDR_DATA2_T<T>, InLoadOrderModuleList )); status = ReadProcessMemoryT( static_cast<ptr_t>(head), &head, sizeof( head ) )) { ModuleData data; wchar_t localPath[512] = { 0 }; _LDR_DATA_TABLE_ENTRY_BASE_T<T> localdata = { { 0 } }; ReadProcessMemoryT( head, &localdata, sizeof( localdata ), 0 ); ReadProcessMemoryT( localdata.FullDllName.Buffer, localPath, localdata.FullDllName.Length ); data.baseAddress = localdata.DllBase; data.size = localdata.SizeOfImage; data.fullPath = Utils::ToLower( localPath ); data.name = Utils::StripPath( data.fullPath ); data.type = (sizeof( T ) < sizeof( uint64_t )) ? mt_mod32 : mt_mod64; data.ldrPtr = static_cast<ptr_t>(head); data.manual = false; result.emplace_back( std::make_shared<const ModuleData>( data ) ); } } else { BLACKBONE_TRACE( L"NativeModules: Failed to get PEB/LDR address. Not yet initialized" ); } return result; }
int main(int argc, char **argv) { PTEB pTeb = getTEB(); PPEB pPeb = getPEB(); return EXIT_SUCCESS; }