Enumerating Kernel Modules

Discussion in 'Windows Vista Drivers' started by L. Spiro, Nov 16, 2007.

  1. L. Spiro

    L. Spiro Guest

    My debugger shows user-land modules for a process and all functions they
    import/export (including their addresses and ordinals).
    How can I implement the same functionality for kernel-land modules?

    L. Spiro
    L. Spiro, Nov 16, 2007
    1. Advertisements

  2. L. Spiro

    David Craig Guest

    This will only show those explicitly linked to by using lib files. Use of
    LoadLibrary won't be shown.

    Get the document about the PE file format where all imports and exports are

    Total Commander has a plugin that can be used to look at the imports and
    exports of any executable.

    Dumpbin also will show those items.
    David Craig, Nov 16, 2007
    1. Advertisements

  3. L. Spiro

    L. Spiro Guest

    I am already using the debug image API (MapAndLoad(), etc.) to extract the
    exports and imports from the .DLL files (and others), and I assume this will
    work on .SYS files as well.
    Then LoadLibrary() and GetProcAddress() to get the actual addresses of the
    functions in the context of the target process.
    I don’t know if LoadLibrary() works on .SYS files. If not, this is part of
    my question.

    What I primarily need is a way to enumerate the kernel modules on the system.
    Then, if the method for getting function addresses is different for .SYS
    files, I would need to know what the correct method is for that too.

    If I can’t list function addresses, at least I would like to know how to
    list the kernel modules and where they are loaded in RAM and how much space
    they consume.

    L. Spiro
    L. Spiro, Nov 16, 2007
  4. I don’t know if LoadLibrary() works on .SYS files. If not, this is part of
    "Load library as datafile" works. This is how Event Viewing API loads the .SYS
    files to extract the .MC resources from them to get the event log message

    I also expect that "load library as datafile" is used for .SYS files within the
    WMI provider service to load their MOF resources.
    WinDbg uses the undocumented PsLoadedModuleList kernel global for this.
    Maxim S. Shatskih, Nov 16, 2007
  5. Doron Holan [MSFT], Nov 19, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.