Vôtsin jälle oma koodivaramust lôigu, mida kunagi kasutasin, et teada saada, millised DLLid on protsess laadinud.
Vähemalt töötab W2K, WinXp all…Vistat pole veel proovinud
Milleks seda koodi vaja…ntx kirjutasin kunagi pcturva programmi, mul oli vaja kontrollida, et mingete troojakate dll’e ei laetaks minu protsessi. Pahalased oskavad PSAPit modifitseerida, undocumented asjadega jäävad jänni.
PSAPI ‘t teavad ju kôik.
CreateToolhelp32Snapshot + Module32First + Module32Next jne
Siin on selle alternatiivse koodi listing…
program procexpl;
{$APPTYPE CONSOLE}
// Ingmar Tammeväli
// http://ingmar.planet.ee
uses
SysUtils,windows;
type
PDebugModule = ^TDebugModule;
TDebugModule = packed record
Reserved : array [0..1] of Cardinal;
Base : Cardinal;
Size : Cardinal;
Flags : Cardinal;
Index : Word;
Unknown : Word;
LoadCount: Word;
ModuleNameOffset: Word;
ImageName : array [0..$FF] of Char;
End;
type
PDebugModuleInformation = ^TDebugModuleInformation;
TDebugModuleInformation = record
Count: Cardinal;
Modules: array [0..0] of TDebugModule;
End;
type
PDebugBuffer = ^TDebugBuffer;
TDebugBuffer = record
SectionHandle: THandle;
SectionBase : Pointer;
RemoteSectionBase : Pointer;
SectionBaseDelta : Cardinal;
EventPairHandle : THandle;
Unknown : array [0..1] of Cardinal;
RemoteThreadHandle: THandle;
InfoClassMask : Cardinal;
SizeOfInfo : Cardinal;
AllocatedSize : Cardinal;
SectionSize : Cardinal;
ModuleInformation : PDebugModuleInformation;
BackTraceInformation: Pointer;
HeapInformation : Pointer;
LockInformation : Pointer;
Reserved : array [0..7] of Pointer;
End;
type
TFNRtlCreateQueryDebugBuffer=Function(Size:Cardinal;EventPair: Boolean): PDebugBuffer; stdcall;
TFNRtlQueryProcessDebugInformation=Function(ProcessId,DebugInfoClassMask: Cardinal; var DebugBuffer: TDebugBuffer): Integer; stdcall;
TFNRtlDestroyQueryDebugBuffer=Function(DebugBuffer:PDebugBuffer): Integer; stdcall;
procedure kuvaLaetudDllid(const procID : dword);
const
PDI_MODULES = $01;
var
HNtDll: HMODULE;
RtlCreateQueryDebugBuffer : TFNRtlCreateQueryDebugBuffer;
RtlQueryProcessDebugInformation: TFNRtlQueryProcessDebugInformation;
RtlDestroyQueryDebugBuffer : TFNRtlDestroyQueryDebugBuffer;
// ***
DbgBuffer : PDebugBuffer;
Loop : Integer;
Begin
Try
Try
HNtDll:=LoadLibrary(
'ntdll.dll'
);
If HNtDll=0 Then
RaiseLastWin32Error;
RtlCreateQueryDebugBuffer := GetProcAddress(HNtDll,
'RtlCreateQueryDebugBuffer'
);
If Not Assigned(RtlCreateQueryDebugBuffer) Then
Exit;
RtlQueryProcessDebugInformation :=GetProcAddress(HNtDll,
'RtlQueryProcessDebugInformation'
);
If Not Assigned(RtlQueryProcessDebugInformation) Then
Exit;
RtlDestroyQueryDebugBuffer:=GetProcAddress(HNtDll,
'RtlDestroyQueryDebugBuffer'
);
If Not Assigned(RtlDestroyQueryDebugBuffer) Then
Exit;
// ***
DbgBuffer := RtlCreateQueryDebugBuffer(0, False);
If Assigned(DbgBuffer) Then
try
if RtlQueryProcessDebugInformation(procID,PDI_MODULES,DbgBuffer^) >= 0 then
if DbgBuffer.ModuleInformation.Count<255 Then
for loop := 0 to DbgBuffer.ModuleInformation.Count-1 do
with dbgBuffer.moduleInformation.Modules[Loop] do
writeln(
'Aadress:'
+inttohex(base,12)+
';'
+imageName);
finally
RtlDestroyQueryDebugBuffer(DbgBuffer);
end;
finally
If Boolean(HNtDll) Then
FreeLibrary(HNtDll);
end;
except
end;
end;
begin
writeln(
'Laetud DLLid ...'
);
writeln;
// mingi protsessi pid
kuvaLaetudDllid(windows.GetCurrentProcessId);
readln;
end.
Lisa kommentaar