如何从 32 位 WOW 进程枚举 64 位进程中的模块 [英] How to enum modules in a 64bit process from a 32bit WOW process

问题描述

我需要在 Windows 的 32 位 WOW 进程中检索 64 位进程的所有模块，EnumProcessModules 会失败，如下所述:

I have a requirement to retrieve all modules of a 64bit process in a 32bit WOW process in Windows, EnumProcessModules would fail as described:

如果这个函数是从运行在WOW64上的32位应用程序调用的，它只能枚举一个32位进程的模块.如果进程是 64 位进程，则此函数失败，最后一个错误代码为 ERROR_PARTIAL_COPY (299).

If this function is called from a 32-bit application running on WOW64, it can only enumerate the modules of a 32-bit process. If the process is a 64-bit process, this function fails and the last error code is ERROR_PARTIAL_COPY (299).

对于 EnumProcessModulesEx 和 CreateToolhelp32Snapshot.

So as to EnumProcessModulesEx and CreateToolhelp32Snapshot.

你知道如何实现它吗?

谢谢.

推荐答案

如果不进入未记录的 API，您就无法做到这一点.一般来说，由于地址空间的不同，从 32 位进程读取 64 位进程的内存是行不通的.

Without going into undocumented APIs, you can't do this. In general, reading a 64-bit process' memory from a 32-bit process won't work due to the address space differences.

EnumProcessModulesEx 具有 LIST_MODULES_32BIT 和 LIST_MODULES_64BIT 过滤器标志，它的意思是:

EnumProcessModulesEx, which has LIST_MODULES_32BIT and LIST_MODULES_64BIT filter flags, has this to say:

此功能主要用于 64 位应用程序.如果该函数由在 WOW64 下运行的 32 位应用程序调用，则 dwFilterFlag 选项将被忽略，该函数提供与 EnumProcessModules 函数相同的结果.

This function is intended primarily for 64-bit applications. If the function is called by a 32-bit application running under WOW64, the dwFilterFlag option is ignored and the function provides the same results as the EnumProcessModules function.

您可以通过使用进程外 64 位 COM 服务器(特别是使用 DLL 代理)，或者有一个单独的进程与之通信.或者，根据您的进程相对于目标进程的启动时间，您可以使用 WMI 来获取模块加载事件.请参阅Win32_ModuleLoadTrace 事件.

You could do this by converting your program to 64-bit, using an out-of-proc 64-bit COM server (specifically using a DLL surrogate), or having a separate process that you communicate with. Alternatively, depending on when your process starts relative to your target process, you could use WMI to get module load events. See the Win32_ModuleLoadTrace event.

Process Explorer，一个 32 位的 exe，可以向您展示适用于 32 位和 64 位进程的模块，但它确实是雾里看花:32 位 exe 包含一个 64 位版本的自身，它被写出到磁盘并在 64 位机器上执行.

Process Explorer, a single 32-bit exe, can show you modules for both 32- and 64-bit processes, but it's really smoke and mirrors: the 32-bit exe contains a 64-bit version of itself that gets written out to disk and executed on 64-bit machines.

这篇关于如何从 32 位 WOW 进程枚举 64 位进程中的模块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！