/// <summary>
/// Enumerates the modules loaded by the kernel.
/// </summary>
/// <param name="enumCallback">A callback for the enumeration.</param>
public static void EnumKernelModules(EnumKernelModulesDelegate enumCallback)
{
NtStatus status;
int retLength;
if (_kernelModulesBuffer == null)
{
_kernelModulesBuffer = new MemoryAlloc(0x1000);
}
status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemModuleInformation,
_kernelModulesBuffer,
_kernelModulesBuffer.Size,
out retLength
);
if (status == NtStatus.InfoLengthMismatch)
{
_kernelModulesBuffer.ResizeNew(retLength);
status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemModuleInformation,
_kernelModulesBuffer,
_kernelModulesBuffer.Size,
out retLength
);
}
if (status >= NtStatus.Error)
{
Win32.Throw(status);
}
RtlProcessModules modules = _kernelModulesBuffer.ReadStruct <RtlProcessModules>();
for (int i = 0; i < modules.NumberOfModules; i++)
{
var module = _kernelModulesBuffer.ReadStruct <RtlProcessModuleInformation>(RtlProcessModules.ModulesOffset, i);
var moduleInfo = new Debugging.ModuleInformation(module);
if (!enumCallback(new KernelModule(
moduleInfo.BaseAddress,
moduleInfo.Size,
moduleInfo.Flags,
moduleInfo.BaseName,
FileUtils.GetFileName(moduleInfo.FileName)
)))
{
break;
}
}
}
/// <summary>
/// Enumerates module information.
/// </summary>
/// <param name="callback">The callback for the enumeration.</param>
public void EnumModules(DebugEnumModulesDelegate callback)
{
RtlDebugInformation debugInfo = this.GetDebugInformation();
if (debugInfo.Modules == IntPtr.Zero)
{
throw new InvalidOperationException("Module information does not exist.");
}
MemoryRegion modulesInfo = new MemoryRegion(debugInfo.Modules);
RtlProcessModules modules = modulesInfo.ReadStruct <RtlProcessModules>();
for (int i = 0; i < modules.NumberOfModules; i++)
{
var module = modulesInfo.ReadStruct <RtlProcessModuleInformation>(RtlProcessModules.ModulesOffset, RtlProcessModuleInformation.SizeOf, i);
if (!callback(new ModuleInformation(module)))
{
break;
}
}
}
