从外部进程查找 Windows x64 中的模块句柄 [英] Find module handle in Windows x64 from external process
问题描述
如何按名称查找模块基地址(在另一个进程中),在 Windows x64?
How to find module base address by name (in another process), in Windows x64?
ProcessModuleCollection 只找到:ntdll.dll wow64.dll wow64win.dll wow64cpu.dll
ProcessModuleCollection finds only: ntdll.dll wow64.dll wow64win.dll wow64cpu.dll
在哪里可以找到按名称搜索模块基地址的函数示例(适用于 x32 和 x64 Windows 版本)?
Where can find an example of functions for search module base addess by name (which works in x32 and x64 Windows version)?
推荐答案
通过调用 Process.Modules 返回的 ProcessModuleCollection 实例包含您需要的信息.前提是两个进程具有相同的位数.因此,如果目标进程是 32 位进程,请确保您的进程也是 32 位进程.如果目标进程是 64 位进程,请确保您的进程是 64 位进程.
The ProcessModuleCollection instance returned by calling Process.Modules has the information you need. Provided that both processes have the same bitness. So, if the target process is a 32 bit process, make sure your process is also a 32 bit process. And if the target process is a 64 bit process, then make sure your process is a 64 bit process.
从您在问题中包含的输出可以清楚地看出,产生该输出的场景是:
From the output you include in the question it is clear that the scenario that produced that output is:
- 64 位操作系统.
- 您的代码在 64 位进程中执行.
- 目标进程是一个 32 位进程.
您只列举这几个模块的原因(大概)是因为它们是包含在 WOW64 模拟器下运行的 32 位进程中的 64 位模块,以及可执行模块.
The reason that you only enumerate those handful of modules is (presumably) that they are the 64 bit modules that are included in the 32 bit process running under the WOW64 emulator, together with the executable module.
您可能会认为您可以使用 Windows API 来枚举具有不同位数的进程中的模块.但你不能.尝试使用 CreateToolhelp32Snapshot、Module32First 和 Module32Next 会产生与使用 Process.Modules 的 C# 代码相同的结果.这真的一点也不奇怪.在 Win32 中实现的 .net 将调用专为此任务设计的本机 Win32 API,这是完全合理的.
You might be tempted to think that you can use the Windows API to enumerate modules in a process with a different bitness. But you cannot. Attempts to use CreateToolhelp32Snapshot, Module32First and Module32Next yield the same results as your C# code that uses Process.Modules. And that's not at all surprising really. It makes perfect sense that .net, which is implemented in Win32, would call the native Win32 API that is designed for this task.
您的解决方案是确保对 Process.Modules 的调用是从 32 位进程进行的.如果您需要能够同时针对 32 位和 64 位进程,则需要使用一些不同位数的辅助进程.
Your solution is to make sure that the call to Process.Modules is made from a 32 bit process. You will need to use some helper processes of different bitness if you need to be able to target both 32 and 64 bit processes.
更新
Ben Voigt 将我指向 EnumerateLoadedModules64 从调试帮助 API.我承认我不知道这一点.但是,它似乎与工具帮助 API 具有相同的位数限制.
Ben Voigt point me to EnumerateLoadedModules64 from the Debug Help API. I confess to being unaware of this. However, it does appear to have the same bitness limitations as the tool help API.
最后,还有 EnumProcessModulesEx 可以从 64 位进程枚举 32 位模块.如果您通过 LIST_MODULES_32BIT 那么您确实可以从 64 位的调用进程中提取加载到外部 32 位进程中的 32 位模块.
Finally, there is also EnumProcessModulesEx which can enumerate 32 bit modules from a 64 bit process. If you pass LIST_MODULES_32BIT then you can indeed extract the 32 bit modules loaded into an external 32 bit process, from a calling process that is 64 bit.
这篇关于从外部进程查找 Windows x64 中的模块句柄的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
