Author Topic: RTL_PROCESS_MODULES documented  (Read 3198 times)

guga

  • Moderator
  • Member
  • *****
  • Posts: 1196
  • Assembly is a state of art.
    • RosAsm
RTL_PROCESS_MODULES documented
« on: July 13, 2014, 07:01:22 AM »
After a bit of work, i´m succeeding to document some NT functions and structures

Quote
RTL_PROCESS_MODULES

This structure contains information about modules

Syntax:

RosAsm:

[RTL_PROCESS_MODULE_INFORMATION:
 Section: D$ 0
 MappedBase: D$ 0
 ImageBase: D$ 0
 ImageSize: D$ 0
 Flags: D$ 0
 LoadOrderIndex: W$ 0
 InitOrderIndex: W$ 0
 LoadCount: W$ 0
 OffsetToFileName: W$ 0
 FullPathName: B$ 0 #256]

C:
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
   HANDLE Section;                 // Not filled in
   PVOID MappedBase;
   PVOID ImageBase;
   ULONG ImageSize;
   ULONG Flags;
   USHORT LoadOrderIndex;
   USHORT InitOrderIndex;
   USHORT LoadCount;
   USHORT OffsetToFileName;
   UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;


Members:

   Section
      A handle to a section object.The handle must grant SECTION_MAP_WRITE, SECTION_MAP_READ, SECTION_MAP_EXECUTE or other access flags when it was created.
      The handle was created with ZwCreateSection or NTCreateSection.
   MappedBase
      The base address of the module after it has being mapped.
   ImageBase
      The base address of the module.
   ImageSize
      The size of the module.
   Flags
      A bit array of flags describing the state of the module. These flags are also used in LDR_DATA_TABLE_ENTRY structure. Observed values include:

LDRP_STATIC_LINK 0x00000002
LDRP_IMAGE_DLL 0x00000004
LDRP_LOAD_IN_PROGRESS 0x00001000
LDRP_UNLOAD_IN_PROGRESS 0x00002000
LDRP_ENTRY_PROCESSED 0x00004000
LDRP_ENTRY_INSERTED 0x00008000
LDRP_CURRENT_LOAD 0x00010000
LDRP_FAILED_BUILTIN_LOAD 0x00020000
LDRP_DONT_CALL_FOR_THREADS 0x00040000
LDRP_PROCESS_ATTACH_CALLED 0x00080000
LDRP_DEBUG_SYMBOLS_LOADED 0x00100000
LDRP_IMAGE_NOT_AT_BASE 0x00200000
LDRP_WX86_IGNORE_MACHINETYPE 0x00400000

   LoadOrderIndex
      The index of the loaded module in the array of modules. The index was enumerated by  NtQuerySystemInformation function.
   InitOrderIndex
      The initial index in the array of modules. Same as LoadOrderIndex. The index was enumerated by  NtQuerySystemInformation function.
   LoadCount
      The number of references to the module The references was enumerated by LdrQueryProcessModuleInformation function.
      In general, this member contains 0xFFFF or the actual number of references of the loaded module.
   OffsetToFileName
      The offset to the final filename component of the image name.
   FullPathName
      The filepath of the module. It consists of a maximum 256 characters in Ansi form.

Remarks:
   This structure was also known as DEBUG_MODULE_INFORMATION back in the NT days. Other names for this structure are: SYSTEM_MODULE
   The structure is also used in RTL_PROCESS_MODULES (SYSTEM_MODULE_INFORMATION )
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com