如何从32位WOW进程中枚举64位进程中的模块 [英] How to enum modules in a 64bit process from a 32bit WOW process

问题描述

我需要在Windows中的32位WOW进程中检索64位进程的所有模块， EnumProcessModules 将失败，如下所述：

I have a requirement to retrieve all modules of a 64bit process in a 32bit WOW process in Windows, EnumProcessModules would fail as described:

如果从32位调用位应用程序在WOW64上运行，它只能枚举32位进程的模块。如果该进程是64位进程，则此函数将失败，并且最后一个错误代码是ERROR_PARTIAL_COPY（299）。

If this function is called from a 32-bit application running on WOW64, it can only enumerate the modules of a 32-bit process. If the process is a 64-bit process, this function fails and the last error code is ERROR_PARTIAL_COPY (299).

EnumProcessModulesEx和CreateToolhelp32Snapshot。

So as to EnumProcessModulesEx and CreateToolhelp32Snapshot.

您是否知道如何实现？

谢谢。

推荐答案

如果不使用未公开的API，则无法执行此操作。通常，由于地址空间的差异，无法从32位进程中读取64位进程的内存。

Without going into undocumented APIs, you can't do this. In general, reading a 64-bit process' memory from a 32-bit process won't work due to the address space differences.

EnumProcessModulesEx ，其中具有 LIST_MODULES_32BIT 和 LIST_MODULES_64BIT 过滤器标记，其含义是：

EnumProcessModulesEx, which has LIST_MODULES_32BIT and LIST_MODULES_64BIT filter flags, has this to say:

此功能主要用于64位应用程序。如果该函数由运行在WOW64下的32位应用程序调用，则dwFilterFlag选项将被忽略，并且该函数提供的结果与EnumProcessModules函数相同。

This function is intended primarily for 64-bit applications. If the function is called by a 32-bit application running under WOW64, the dwFilterFlag option is ignored and the function provides the same results as the EnumProcessModules function.

您可以通过使用过程外的64位COM服务器（特别是使用 DLL替代），或与您进行通信的单独进程。或者，根据您的进程相对于目标进程的启动时间，可以使用WMI获取模块加载事件。请参见 Win32_ModuleLoadTrace 事件。

You could do this by converting your program to 64-bit, using an out-of-proc 64-bit COM server (specifically using a DLL surrogate), or having a separate process that you communicate with. Alternatively, depending on when your process starts relative to your target process, you could use WMI to get module load events. See the Win32_ModuleLoadTrace event.

Process Explorer （一个32位exe）可以向您展示32位和64位进程的模块，但实际上是冒烟和镜像：32位exe包含64位本身的位版本将被写入磁盘并在64位计算机上执行。

Process Explorer, a single 32-bit exe, can show you modules for both 32- and 64-bit processes, but it's really smoke and mirrors: the 32-bit exe contains a 64-bit version of itself that gets written out to disk and executed on 64-bit machines.

这篇关于如何从32位WOW进程中枚举64位进程中的模块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！