在Windows进程中的哪里找到卸载模块的列表? [英] Where do I find the list of unloaded modules in a Windows process?

问题描述

我有一些本机Windows程序(如/SUBSYSTEM:NATIVE)，我想为它们生成微型转储，以防它们崩溃.通常，我会使用dbghelp.dll，但是由于本机进程只能使用从ntdll.dll导出的功能，所以我不能.

I have some native (as in /SUBSYSTEM:NATIVE) Windows programs that I'd like to generate minidumps for in case they crash. Normally, I'd use dbghelp.dll, but since native processes can only use functions exported from ntdll.dll, I can't.

所以我自己实施了自卸车.差不多完成了，但是不幸的是，在崩溃的过程中，我无法找到卸载模块的列表(该列表肯定存储在某个地方，因为WinDbg可以显示它).

So I've implemented the dumper myself. It's almost done, but unfortunately, I've been unable to locate the list of unloaded modules in the crashed process (the list is certainly stored somewhere, since WinDbg is able to display it).

在Windows进程中的哪里可以找到已卸载模块的列表?

Where do I find the list of unloaded modules in a Windows process?

该列表肯定存储在进程内存中的某个位置，即使在卸载模块后将其附加，WinDbg仍可以显示该列表.在 WinDbg的文档中有一条注释:

The list is certainly stored somewhere in the process memory, WinDbg can display the list even if I attach it after the modules were unloaded. There's also a note in the documentation of WinDbg:

Microsoft Windows Server 2003和更高版本的Windows维护着用户模式进程的卸载模块列表. [...]

Microsoft Windows Server 2003 and later versions of Windows maintain an unloaded module list for user-mode processes. [...]

推荐答案

请参见 RtlGetUnloadEventTrace 和 RtlGetUnloadEventTraceEx .

我不太确定它是如何工作的，但是我相信实际列表是由ntdll.dll存储在加载程序代码中的.它跟踪特定过程中最后16个DLL(或MSDN认为是64个)的最新卸载的DLL.该信息未从PEB或PEB_LDR_DATA链接.

I am not entirely sure about how it works, but I believe the actual list is stored by ntdll.dll in the loader code. It keeps track of the 16 (or 64, according to MSDN) last unloaded DLLs in the specific process. The information is not linked from PEB or PEB_LDR_DATA.

这篇关于在Windows进程中的哪里找到卸载模块的列表?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！