从外部进程中查找Windows x64中的模块句柄 [英] Find module handle in Windows x64 from external process
问题描述
如何在Windows x64中按名称查找模块基址(在另一个过程中) ?
How to find module base address by name (in another process), in Windows x64?
ProcessModuleCollection仅查找:ntdll.dll wow64.dll wow64win.dll wow64cpu.dll
ProcessModuleCollection finds only: ntdll.dll wow64.dll wow64win.dll wow64cpu.dll
在哪里可以找到
推荐答案
<$>按名称搜索模块基本addess的功能示例(在x32和x64 Windows版本中有效)?调用 Process.Modules 返回的c $ c> ProcessModuleCollection 实例具有所需的信息。前提是两个进程具有相同的位。因此,如果目标进程是32位进程,请确保您的进程也是32位进程。并且如果目标进程是64位进程,则请确保您的进程是64位进程。
The ProcessModuleCollection instance returned by calling Process.Modules has the information you need. Provided that both processes have the same bitness. So, if the target process is a 32 bit process, make sure your process is also a 32 bit process. And if the target process is a 64 bit process, then make sure your process is a 64 bit process.
从问题中包含的输出中可以很明显地看出来。产生该输出的场景是:
From the output you include in the question it is clear that the scenario that produced that output is:
- 一个64位操作系统。
- 您的代码在64位进程。
- 目标进程是32位进程。
您只列举了一些模块(大概是),它们是包含在WOW64仿真器下运行的32位进程中的64位模块,以及可执行模块。
The reason that you only enumerate those handful of modules is (presumably) that they are the 64 bit modules that are included in the 32 bit process running under the WOW64 emulator, together with the executable module.
您可能会以为您可以使用Windows API枚举具有不同位数的进程中的模块。但是你不能。尝试使用 CreateToolhelp32Snapshot , Module32First 和 Module32Next 的尝试会产生相同的结果结果作为使用 Process.Modules 的C#代码。这一点也不足为奇。完全有意义的是,在Win32中实现的.net将调用为此任务设计的本机Win32 API。
You might be tempted to think that you can use the Windows API to enumerate modules in a process with a different bitness. But you cannot. Attempts to use CreateToolhelp32Snapshot, Module32First and Module32Next yield the same results as your C# code that uses Process.Modules. And that's not at all surprising really. It makes perfect sense that .net, which is implemented in Win32, would call the native Win32 API that is designed for this task.
您的解决方案是确保对 Process.Modules 的调用是由32位进程进行的。如果需要能够同时针对32位和64位进程,则需要使用一些不同位数的辅助进程。
Your solution is to make sure that the call to Process.Modules is made from a 32 bit process. You will need to use some helper processes of different bitness if you need to be able to target both 32 and 64 bit processes.
更新
Ben Voigt指向我 EnumerateLoadedModules64 。我承认对此一无所知。但是,它确实具有与工具帮助API相同的位数限制。
Ben Voigt point me to EnumerateLoadedModules64 from the Debug Help API. I confess to being unaware of this. However, it does appear to have the same bitness limitations as the tool help API.
最后,还有 EnumProcessModulesEx 可以从64位进程中枚举32位模块。如果传递 LIST_MODULES_32BIT ,则确实可以从64位调用过程中提取加载到外部32位进程中的32位模块。
Finally, there is also EnumProcessModulesEx which can enumerate 32 bit modules from a 64 bit process. If you pass LIST_MODULES_32BIT then you can indeed extract the 32 bit modules loaded into an external 32 bit process, from a calling process that is 64 bit.
这篇关于从外部进程中查找Windows x64中的模块句柄的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
