[C/C++ or Delphi]How make user module list about some process?

[c0lo]

Well, i would like to make application that i can list all modules and func that this application use, not for my application if not other application extern.

Because i need to find or found address for some apis that use in modules in this application.

Can i help me?

Thanks.

[atom0s]

You can use the following to get a list of processes:

- CreateToolhelp32Snapshot

- Process32First

- Process32Next

then you can use the following to loop a processes module list:

- CreateToolhelp32Snapshot

- Module32First

- Module32Next

You can also use the PSAPI library; see this link for more info:
/>http://msdn.microsoft.com/en-us/library/ms684894%28v=vs.85%29.aspx

[ghandi]

Well, i would like to make application that i can list all modules and func that this application use, not for my application if not other application extern.

Because i need to find or found address for some apis that use in modules in this application.

Can i help me?

Thanks.

I am having trouble deciphering your somewhat cryptic post, are you asking about listing an executable files Import Table? If so, there are plenty of great tutorials and papers available at ARTeam, Tuts4You and just about every single reverse engineering board on the Internet. "Portable Executable" and "COFF" will find you countless hits on Google, if you add "specification" or "format" you will get more relevant information.

Basically you can 'walk' the Import Table and its associated structures and iterate every function that the executable imports implicitly*. Explicit* imports you will have more work to do and there is really no 100% foolproof method to catch dynamically loaded modules/api, malware proves this all the time with its twists and turns.

*Taken from: http://www.murrayc.com/learning/windows/dll.shtml

Implicit Linking: Implicit linking uses an Import Library. These have a .lib extension. This .lib file is used by the Linker when building your application and provides a means to resolve calls made to DLL functions, along with code to manage the loading and unloading of the DLL.

Explicit Linking: Explicit linking must be used in those rare cases in which the programmer does not know until run-time which DLL must be used. Calls to the ::LoadLibrary() and ::FreeLibrary() API functions must be used. Also, before calling a function in the DLL you must use ::GetProcAddress() to get the address of that function. Of course when using these API functions you must do the usual awkward error checking. Note also that it is possible to call a function with the wrong the set of parameters and cause horrible memory problems.

Note that an MFC application explicitly linking to an DLL should use the AfxLoadLibrary and AfxFreeLibrary functions instead. These functions have additional code to cope with MFC Extension DLLs.

An entry in the import table implies(implicit) that the imported function is used and they can be grouped into libraries. Loading the dll and locating the function on demand however is explicit because unless loading/locating fail the function will be used and these should be treated as singular cases even though sometimes the same module handle/instance is used to locate and call functions from.

It is not always LoadLibrary which is used, if the module already resides in the Import Table of the executable or any of its imported modules then GetModuleHandle will return the exact same HMODULE. This is not regarded as proper coding practices but people do all sorts of things for all sorts of reasons,

More information about the Portable Executable (PE) format:
/>http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/pecoff_v8.docx <- Microsofts own PE specification v8
/>http://msdn.microsoft.com/en-us/magazine/cc301805.aspx <- Good article by Matt Pietrek titled "An In-Depth Look into the Win32 Portable Executable File Format"
/>http://en.wikipedia.org/wiki/Dynamic-link_library <- Wikipedia's page on dll's (modules)
/>http://en.wikipedia.org/wiki/Portable_Executable <- " " self-executables (exe, scr, etc)

[b]http://en.wikipedia.org/wiki/Portable_Executable#Import_Table

If i'm wrong then i've probably filled a post with useless junk but if not this may help with your enquiry,

HR,

Ghandi

Edited June 8, 2011 by ghandi

[c0lo]

You can use the following to get a list of processes:

- CreateToolhelp32Snapshot

- Process32First

- Process32Next

then you can use the following to loop a processes module list:

- CreateToolhelp32Snapshot

- Module32First

- Module32Next

You can also use the PSAPI library; see this link for more info:
/>http://msdn.microsoft.com/en-us/library/ms684894%28v=vs.85%29.aspx

Thanks atom0s, I'm going to read and learn about this apis for understand my proble.

I am having trouble deciphering your somewhat cryptic post, are you asking about listing an executable files Import Table? If so, there are plenty of great tutorials and papers available at ARTeam, Tuts4You and just about every single reverse engineering board on the Internet. "Portable Executable" and "COFF" will find you countless hits on Google, if you add "specification" or "format" you will get more relevant information.

Basically you can 'walk' the Import Table and its associated structures and iterate every function that the executable imports implicitly*. Explicit* imports you will have more work to do and there is really no 100% foolproof method to catch dynamically loaded modules/api, malware proves this all the time with its twists and turns.

*Taken from: http://www.murrayc.com/learning/windows/dll.shtml

........................

Thanks ghandi for the info about this topic, I'm sorry for how I write, I'm learning english now but I need to learn more. And I have the idea in my brain, but i don't know how talk or search info, but now with your support I know now, that needing for my work. Thanks and sorry to botters.

PD: my idea is enumerate dlls of any application.

Edited June 8, 2011 by c0lo