After a bit of work, i´m succeeding to document some NT functions and structures
Quote
RTL_PROCESS_MODULES
This structure contains information about modules
Syntax:
RosAsm:
[RTL_PROCESS_MODULE_INFORMATION:
Section: D$ 0
MappedBase: D$ 0
ImageBase: D$ 0
ImageSize: D$ 0
Flags: D$ 0
LoadOrderIndex: W$ 0
InitOrderIndex: W$ 0
LoadCount: W$ 0
OffsetToFileName: W$ 0
FullPathName: B$ 0 #256]
C:
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
Members:
Section
A handle to a section object.The handle must grant SECTION_MAP_WRITE, SECTION_MAP_READ, SECTION_MAP_EXECUTE or other access flags when it was created.
The handle was created with ZwCreateSection or NTCreateSection.
MappedBase
The base address of the module after it has being mapped.
ImageBase
The base address of the module.
ImageSize
The size of the module.
Flags
A bit array of flags describing the state of the module. These flags are also used in LDR_DATA_TABLE_ENTRY structure. Observed values include:
LDRP_STATIC_LINK 0x00000002
LDRP_IMAGE_DLL 0x00000004
LDRP_LOAD_IN_PROGRESS 0x00001000
LDRP_UNLOAD_IN_PROGRESS 0x00002000
LDRP_ENTRY_PROCESSED 0x00004000
LDRP_ENTRY_INSERTED 0x00008000
LDRP_CURRENT_LOAD 0x00010000
LDRP_FAILED_BUILTIN_LOAD 0x00020000
LDRP_DONT_CALL_FOR_THREADS 0x00040000
LDRP_PROCESS_ATTACH_CALLED 0x00080000
LDRP_DEBUG_SYMBOLS_LOADED 0x00100000
LDRP_IMAGE_NOT_AT_BASE 0x00200000
LDRP_WX86_IGNORE_MACHINETYPE 0x00400000
LoadOrderIndex
The index of the loaded module in the array of modules. The index was enumerated by NtQuerySystemInformation function.
InitOrderIndex
The initial index in the array of modules. Same as LoadOrderIndex. The index was enumerated by NtQuerySystemInformation function.
LoadCount
The number of references to the module The references was enumerated by LdrQueryProcessModuleInformation function.
In general, this member contains 0xFFFF or the actual number of references of the loaded module.
OffsetToFileName
The offset to the final filename component of the image name.
FullPathName
The filepath of the module. It consists of a maximum 256 characters in Ansi form.
Remarks:
This structure was also known as DEBUG_MODULE_INFORMATION back in the NT days. Other names for this structure are: SYSTEM_MODULE
The structure is also used in RTL_PROCESS_MODULES (SYSTEM_MODULE_INFORMATION )