waliedassar

Enumerate Loaded Modules (64-bit)

Jan 19th, 2013
144
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //The following 64-bit code enumerate all loaded modules in a 64-bit process.
  5. //Compile with Microsoft Linker.
  6.  
  7. #include "stdafx.h"
  8. #include "windows.h"
  9. #include "winternl.h"
  10. #include "stdio.h"
  11.  
  12. #define MemorySectionName         0x2
  13. #define MemoryBasicVlmInformation 0x3
  14.  
  15.  
  16. struct MEMORY_BASIC_VLM_INFORMATION
  17. {
  18.         unsigned long long  ImageBase;
  19.         unsigned long blah[0x2];
  20.         unsigned long long  SizeOfImage;
  21. };
  22.  
  23. extern "C"
  24. {
  25.         int __stdcall ZwQueryVirtualMemory(HANDLE,void*,unsigned long long,void*,unsigned long long,unsigned long long*);
  26. }
  27.  
  28. int main(int argc, char* argv[])
  29. {
  30.         SYSTEM_INFO SI={0};
  31.         GetSystemInfo(&SI);
  32.         unsigned long long  min_addr=(unsigned long long)(SI.lpMinimumApplicationAddress);
  33.         unsigned long long  max_addr=(unsigned long long)(SI.lpMaximumApplicationAddress);
  34.         //allocate one page, to receive image file name
  35.         UNICODE_STRING* p=(UNICODE_STRING*)LocalAlloc(LMEM_ZEROINIT,0x1000);  
  36.            
  37.         unsigned long long i=0;
  38.         for(i=min_addr;i<=max_addr;i+=(SI.dwPageSize))
  39.         {
  40.                 MEMORY_BASIC_INFORMATION MBI={0};
  41.                 if(VirtualQuery((void*)i,&MBI,sizeof(MBI)))
  42.                 {
  43.                          if(MBI.Type==MEM_IMAGE)
  44.                          {
  45.                                  ZwQueryVirtualMemory(GetCurrentProcess(),  
  46.                                                  (void*)i,MemorySectionName,p,0x1000,0);
  47.                                  wprintf(L"Module: %s\r\n",p->Buffer);
  48.  
  49.                                  unsigned long long out=0;
  50.                                  MEMORY_BASIC_VLM_INFORMATION MBVI={0};
  51.                                  ZwQueryVirtualMemory(GetCurrentProcess(),
  52.                                        (void*)i,MemoryBasicVlmInformation,&MBVI,sizeof(MBVI),&out);
  53.                                  unsigned long long IB=MBVI.ImageBase;
  54.                                  wprintf(L"  at:%I64x",IB);
  55.                                  unsigned long long szImage=MBVI.SizeOfImage;
  56.                                  wprintf(L"  size:%I64x\r\n",szImage);
  57.                                  i+=szImage;
  58.                          }
  59.                 }      
  60.         }      
  61.         return 0;
  62. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×