blocks|key|2072652|text|如果不使用无文档的API，就无法做到这一点。通常，由于地址空间的差异，从32位进程读取64位进程的内存将无法工作。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2072653|EnumProcessModulesEx有LIST_MODULES_32BIT和LIST_MODULES_64BIT过滤器标志，它可以这样说：|offset|length|style|CODE|2072654|此功能主要用于64位应用程序.如果在WOW64下运行的32位应用程序调用该函数，则忽略dwFilterFlag选项，该函数提供与EnumProcessModules函数相同的结果。|blockquote|2072655|您可以通过将您的程序转换为64位，使用separate+64位COM服务器(特别是使用DLL代理，或者有一个单独的与您通信的进程)来做到这一点。或者，根据进程相对于目标进程的启动时间，您可以使用WMI获取模块加载事件。查看Win32_ModuleLoadTrace事件。|2072656|过程资源管理器，一个32位的exe，可以向您展示32位和64位进程的模块，但是它确实是一个烟雾和镜像:32位的exe包含64位版本的自身，它被写到磁盘上并在64位机器上执行。|2072657|entityMap|0|LINK|mutability|MUTABLE|url|http://msdn.microsoft.com/en-us/library/ms682633(VS.85).aspx)|1|http://msdn.microsoft.com/en-us/library/ms695225(VS.85%2529.aspx)|2|http://msdn.microsoft.com/en-us/library/aa394202(VS.85).aspx|3|http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx^0|0|0|K|L|I|14|I|0|K|0|0|0|33|L|17|5|1|33|L|2|0|0|7|3|0^^$0|@$1|2|3|4|5|6|7|12|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|13|8|@$D|14|E|15|F|G]|$D|16|E|17|F|G]|$D|18|E|19|F|G]]|9|@$D|1A|E|1B|1|1C]]|A|$]]|$1|H|3|I|5|J|7|1D|8|@]|9|@]|A|$]]|$1|K|3|L|5|6|7|1E|8|@$D|1F|E|1G|F|G]]|9|@$D|1H|E|1I|1|1J]|$D|1K|E|1L|1|1M]]|A|$]]|$1|M|3|N|5|6|7|1N|8|@]|9|@$D|1O|E|1P|1|1Q]]|A|$]]|$1|O|3|-4|5|6|7|1R|8|@]|9|@]|A|$]]]|P|$Q|$5|R|S|T|A|$U|V]]|W|$5|R|S|T|A|$U|X]]|Y|$5|R|S|T|A|$U|Z]]|10|$5|R|S|T|A|$U|11]]]]

Without going into undocumented APIs, you can't do this. In general, reading a 64-bit process' memory from a 32-bit process won't work due to the address space differences.

<a href="http://msdn.microsoft.com/en-us/library/ms682633(VS.85).aspx" rel="nofollow noreferrer"><code>EnumProcessModulesEx</code></a>, which has <code>LIST_MODULES_32BIT</code> and <code>LIST_MODULES_64BIT</code> filter flags, has this to say:

<blockquote>
 This function is intended primarily for 64-bit applications. If the function is called by a 32-bit application running under WOW64, the dwFilterFlag option is ignored and the function provides the same results as the EnumProcessModules function.
</blockquote>

You could do this by converting your program to 64-bit, using an out-of-proc 64-bit COM server (specifically using a <a href="http://msdn.microsoft.com/en-us/library/ms695225(VS.85).aspx" rel="nofollow noreferrer">DLL surrogate</a>), or having a separate process that you communicate with. Alternatively, depending on when your process starts relative to your target process, you could use WMI to get module load events. See the <a href="http://msdn.microsoft.com/en-us/library/aa394202(VS.85).aspx" rel="nofollow noreferrer"><code>Win32_ModuleLoadTrace</code></a> event.

<a href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" rel="nofollow noreferrer">Process Explorer</a>, a single 32-bit exe, can show you modules for both 32- and 64-bit processes, but it's really smoke and mirrors: the 32-bit exe contains a 64-bit version of itself that gets written out to disk and executed on 64-bit machines.

blocks|key|1716852|text|使用Windows管理工具(WMI)。示例(Delphi)：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1716853|function+GetProcessCount(const+aFileName:+string):+Integer;
var
++lValue:+LongWord;
++lWMIService:+OleVariant;
++lWMIItems:+OleVariant;
++lWMIItem:+OleVariant;
++lWMIEnum:+IEnumVariant;
begin
++Result+:=+-1;
++lWMIService+:=+GetWMIObject('winmgmts:\\.\root\CIMV2');+{+Do+not+localize.+}
++if+(TVarData(lWMIService).VType+=+varDispatch)+and+(TVarData(lWMIService).VDispatch+<>+nil)+then
++begin
++++Result+:=+0;
++++lWMIItems+:=+lWMIService.ExecQuery(Format('SELECT+*+FROM+Win32_Process+WHERE+Name=''%25s''',+[ExtractFileName(aFileName)]));+{+Do+not+localize.+}
++++lWMIEnum+:=+IUnknown(lWMIItems._NewEnum)+as+IEnumVariant;
++++while+lWMIEnum.Next(1,+lWMIItem,+lValue)+=+0+do
++++begin
++++++Inc(Result);
++++end;
++end;
end;|code-block|syntax|javascript|1716854|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

Use Windows Management Instrumentation (WMI). Example (Delphi):

<pre><code>function GetProcessCount(const aFileName: string): Integer;
var
 lValue: LongWord;
 lWMIService: OleVariant;
 lWMIItems: OleVariant;
 lWMIItem: OleVariant;
 lWMIEnum: IEnumVariant;
begin
 Result := -1;
 lWMIService := GetWMIObject('winmgmts:\\.\root\CIMV2'); { Do not localize. }
 if (TVarData(lWMIService).VType = varDispatch) and (TVarData(lWMIService).VDispatch &lt;&gt; nil) then
 begin
 Result := 0;
 lWMIItems := lWMIService.ExecQuery(Format('SELECT * FROM Win32_Process WHERE Name=''%s''', [ExtractFileName(aFileName)])); { Do not localize. }
 lWMIEnum := IUnknown(lWMIItems._NewEnum) as IEnumVariant;
 while lWMIEnum.Next(1, lWMIItem, lValue) = 0 do
 begin
 Inc(Result);
 end;
 end;
end;
</code></pre>

blocks|key|2072728|text|您的请求的解决方案与从x64进程读取x86进程内存任务有一些交叉点。主要是，我们应该了解NtWow64QueryInformationProcess64和NtWow64ReadVirtualMemory64函数，它们存在于x86+ntdll.dll中，专门用于从x86+one中获取有关x64进程的信息。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|2072729|我们还应该了解OS结构之间的一些依赖关系。|2072730|PROCESS_BASIC_INFORMATION包含PEB的地址。PEB代表进程环境块。它包含PEB_LDR_DATA结构的地址。它反过来包含LIST_ENTRY链中第一个LIST_ENTRY结构的地址。LDR_DATA_TABLE_ENTRY包含指向以下LDR_DATA_TABLE_ENTRY的链接。|2072731|在WinDbg中检查此信息的示例：|2072732|0:000>+!peb
PEB+at+000007fffffdb000
...

0:000>+dt+ntdll!_peb+000007fffffdb000
...
%2B0x018+Ldr++++++++++++++:+0x00000000`76fbd640+_PEB_LDR_DATA
...

0:000>+dt+ntdll!_PEB_LDR_DATA+76fbd640
...
%2B0x010+InLoadOrderModuleList+:+_LIST_ENTRY+[+0x00000000`00415bb0+-+0x00000000`070eb9c0+]
...

0:000>+dt+ntdll!_LDR_DATA_TABLE_ENTRY+00415bb0
%2B0x000+InLoadOrderLinks+:+_LIST_ENTRY+[+0x00000000`00415ca0+-+0x00000000`76fbd650+]
...
%2B0x030+DllBase++++++++++:+0x00000001`3f4d0000+Void
...
%2B0x058+BaseDllName++++++:+_UNICODE_STRING+"procexp64.exe"
...

0:000>+dt+ntdll!_LDR_DATA_TABLE_ENTRY+00415ca0
%2B0x000+InLoadOrderLinks+:+_LIST_ENTRY+[+0x00000000`00416020+-+0x00000000`00415bb0+]
...
%2B0x030+DllBase++++++++++:+0x00000000`76e90000+Void
...
%2B0x058+BaseDllName++++++:+_UNICODE_STRING+"ntdll.dll"
...|code-block|syntax|javascript|2072733|在代码中要采取的步骤如下：|2072734|通过通常对OpenProcess函数的调用获得进程句柄。|ordered-list-item|2072735|通过调用PROCESS_BASIC_INFORMATION来读取NtWow64QueryInformationProcess64结构。|2072736|获取存在于PEB结构中的PROCESS_BASIC_INFORMATION地址。|2072737|通过调用PEB来读取NtWow64ReadVirtualMemory64结构。|2072738|获取PEB_LDR_DATA结构的地址。|2072739|读取PEB_LDR_DATA结构并获取第一个LDR_DATA_TABLE_ENTRY元素的地址。|2072740|继续读取LDR_DATA_TABLE_ENTRY元素的内存，而下一个元素的地址不等于第一个元素的地址。|2072741|在步骤7中，我们还读取了UNICODE_STRING+(驻留在LDR_DATA_TABLE_ENTRY中)的缓冲区以获得当前的模块名。|2072742|代码如下所示。它由两个文件组成，main.cpp和os_structs.hpp。|2072743|main.cpp|BOLD|2072744|#include+"os_structs.hpp"

#include+<algorithm>
#include+<codecvt>
#include+<cstdint>
#include+<iostream>
#include+<stdexcept>
#include+<string>
#include+<vector>

#ifndef+WIN32
#+++error+"This+application+must+be+built+as+an+x86+executable"
#endif

#define+GET_FUNC_ADDR(name)+_##name+name+=+(_##name)::GetProcAddress(::GetModuleHandleA("ntdll.dll"),+#name)

#define+IS_TRUE(clause,+msg)+if+(!(clause))+{+throw+std::runtime_error(msg);+}

namespace
{

struct+close_on_exit
{
++++close_on_exit(HANDLE+ptr)
++++++++:+ptr_(ptr)
++++{+};

++++~close_on_exit()
++++{
++++++++if+(ptr_)
++++++++{
++++++++++++::CloseHandle(ptr_);
++++++++++++ptr_+=+nullptr;
++++++++}
++++}

private:
++++HANDLE+ptr_;
};

//+Names+of+modules+
std::string+convert_unicode_to_utf8(std::vector<uint8_t>+&raw_bytes)
{
++++std::vector<uint16_t>+unicode(raw_bytes.size()+>>+1,+0);
++++memcpy(unicode.data(),+raw_bytes.data(),+raw_bytes.size());

++++std::wstring_convert<std::codecvt_utf8<wchar_t>>+converter;

++++const+std::wstring+wide_string(unicode.begin(),+unicode.end());
++++const+std::string+utf8_string+=+converter.to_bytes(wide_string);

++++return+utf8_string;
}

void+*get_handle(uint32_t+id)
{
++++HANDLE+handle+=+::OpenProcess(PROCESS_ALL_ACCESS,+FALSE,+id);

++++std::cout+<<+"Opening+target+process...";

++++IS_TRUE(NULL+!=+handle,+"OpenProcess+failed");

++++std::cout+<<+"+ok"+<<+std::endl;

++++return+handle;
}

void+check_if_process_is_x64(HANDLE+handle)
{
++++BOOL+is_wow64_process+=+TRUE;
++++IS_TRUE(::IsWow64Process(handle,+&is_wow64_process),+"IsWow64Process+failed");
++++IS_TRUE(FALSE+==+is_wow64_process,+"Target+process+is+not+x64+one");
}

std::vector<uint8_t>+read_mem(HANDLE+handle,+uint64_t+address,+uint32_t+length)
{
++++IS_TRUE(handle,+"No+process+handle+obtained");

++++std::vector<uint8_t>+data(length,+0);

++++GET_FUNC_ADDR(NtWow64ReadVirtualMemory64);

++++NTSTATUS+status+=+NtWow64ReadVirtualMemory64(handle,+address,+data.data(),+data.size(),+FALSE);

++++IS_TRUE(NT_SUCCESS(status),+"NtWow64ReadVirtualMemory64+failed");

++++return+data;
}

void+read_pbi(HANDLE+handle,+sys::PROCESS_BASIC_INFORMATION64+&pbi)
{
++++IS_TRUE(handle,+"No+process+handle+obtained");

++++GET_FUNC_ADDR(NtWow64QueryInformationProcess64);

++++NTSTATUS+status+=+NtWow64QueryInformationProcess64(handle,+sys::ProcessBasicInformation,+&pbi,+sizeof(pbi),+NULL);

++++IS_TRUE(NT_SUCCESS(status),+"NtQueryInformationProcess+failed");
}

std::vector<uint8_t>+read_peb_data(HANDLE+handle)
{
++++sys::PROCESS_BASIC_INFORMATION64+pbi+=+{+0+};
++++read_pbi(handle,+pbi);

++++return+read_mem(handle,+pbi.PebBaseAddress,+sizeof(sys::PEB64));
}

bool+get_modules_load_order_via_peb(HANDLE+handle)
{
++++std::cout+<<+"Getting+module+load+order...\n"+<<+std::endl;

++++std::vector<uint8_t>+read_peb+=+read_peb_data(handle);
++++sys::PEB64+*peb+=+(sys::PEB64+*)read_peb.data();

++++//+------------------------------------------------------------------------
++++//+Read+memory+from+pointer+to+loader+data+structures.
++++//+------------------------------------------------------------------------
++++std::vector<uint8_t>+read_peb_ldr_data+=+read_mem(handle,+(uintptr_t)peb->LoaderData,+sizeof(sys::PEB_LDR_DATA64));
++++sys::PEB_LDR_DATA64+*peb_ldr_data+=+(sys::PEB_LDR_DATA64+*)read_peb_ldr_data.data();
++++sys::PEB_LDR_DATA64+*loader_data+=+(sys::PEB_LDR_DATA64+*)peb->LoaderData;

++++const+uintptr_t+addr_of_ptr_to_first_ldr_module+=+(uintptr_t)loader_data
++++++++%2B+((uintptr_t)&loader_data->InLoadOrderModuleList+-+(uintptr_t)&loader_data->Length);

++++ULONGLONG+address+=+peb_ldr_data->InLoadOrderModuleList.Flink;

++++uint32_t+counter+=+1;

++++//+------------------------------------------------------------------------
++++//+Traversing+loader+data+structures.
++++//+------------------------------------------------------------------------
++++do
++++{
++++++++std::vector<uint8_t>+read_ldr_table_entry+=+read_mem(handle,+address,+sizeof(sys::LDR_DATA_TABLE_ENTRY64));

++++++++sys::LDR_DATA_TABLE_ENTRY64+*ldr_table_entry+=+(sys::LDR_DATA_TABLE_ENTRY64+*)read_ldr_table_entry.data();

++++++++std::vector<uint8_t>+unicode_name+=+read_mem(handle,+ldr_table_entry->BaseDllName.Buffer,+ldr_table_entry->BaseDllName.MaximumLength);
++++++++std::string+name+=+convert_unicode_to_utf8(unicode_name);

++++++++std::cout+<<+"Module:+"+<<+name+<<+std::endl;
++++++++std::cout+<<+"++Image+base:+0x"+<<+std::hex+<<+ldr_table_entry->BaseAddress+<<+std::endl;

++++++++ldr_table_entry+=+(sys::LDR_DATA_TABLE_ENTRY64+*)read_ldr_table_entry.data();
++++++++address+=+(uintptr_t)ldr_table_entry->InLoadOrderModuleList.Flink;
++++}+while+(addr_of_ptr_to_first_ldr_module+!=+address);

++++std::cout+<<+"\nEnumeration+finished"+<<+std::endl;

++++return+true;
}

}++//+namespace

int+main()
{
++++try
++++{
++++++++HANDLE+handle+=+get_handle(16944);
++++++++close_on_exit+auto_close_handle(handle);

++++++++check_if_process_is_x64(handle);
++++++++get_modules_load_order_via_peb(handle);
++++}
++++catch+(const+std::runtime_error+&e)
++++{
++++++++std::cerr+<<+"\n----------------------------------------------------\n";
++++++++std::cerr+<<+"Exception+occurred:+"+<<+e.what();
++++++++std::cerr+<<+"\n----------------------------------------------------\n";
++++}

++++return+0;
}|2072745|os_structs.hpp|2072746|#pragma+once

#include+<windows.h>

#define+NT_SUCCESS(x)+((x)+>=+0)

//+Namespace+is+present+Not+to+collide+with+"winbase.h"
//+definition+of+PROCESS_INFORMATION_CLASS+and+others.
namespace+sys
{

typedef+enum+_PROCESS_INFORMATION_CLASS+{
++++ProcessBasicInformation,
++++ProcessQuotaLimits,
++++ProcessIoCounters,
++++ProcessVmCounters,
++++ProcessTimes,
++++ProcessBasePriority,
++++ProcessRaisePriority,
++++ProcessDebugPort,
++++ProcessExceptionPort,
++++ProcessAccessToken,
++++ProcessLdtInformation,
++++ProcessLdtSize,
++++ProcessDefaultHardErrorMode,
++++ProcessIoPortHandlers,
++++ProcessPooledUsageAndLimits,
++++ProcessWorkingSetWatch,
++++ProcessUserModeIOPL,
++++ProcessEnableAlignmentFaultFixup,
++++ProcessPriorityClass,
++++ProcessWx86Information,
++++ProcessHandleCount,
++++ProcessAffinityMask,
++++ProcessPriorityBoost,
++++MaxProcessInfoClass
}+PROCESS_INFORMATION_CLASS,+*PPROCESS_INFORMATION_CLASS;

//+------------------------------------------------------------------------
//+Structs.
//+------------------------------------------------------------------------

typedef+struct+_PROCESS_BASIC_INFORMATION64+{
++++ULONGLONG+Reserved1;
++++ULONGLONG+PebBaseAddress;
++++ULONGLONG+Reserved2[2];
++++ULONGLONG+UniqueProcessId;
++++ULONGLONG+Reserved3;
}+PROCESS_BASIC_INFORMATION64;

typedef+struct+_PEB_LDR_DATA64+{
++++ULONG+Length;
++++BOOLEAN+Initialized;
++++ULONGLONG+SsHandle;
++++LIST_ENTRY64+InLoadOrderModuleList;
++++LIST_ENTRY64+InMemoryOrderModuleList;
++++LIST_ENTRY64+InInitializationOrderModuleList;
}+PEB_LDR_DATA64,+*PPEB_LDR_DATA64;

//+Structure+is+cut+down+to+ProcessHeap.
typedef+struct+_PEB64+{
++++BOOLEAN+InheritedAddressSpace;
++++BOOLEAN+ReadImageFileExecOptions;
++++BOOLEAN+BeingDebugged;
++++BOOLEAN+Spare;
++++ULONGLONG+Mutant;
++++ULONGLONG+ImageBaseAddress;
++++ULONGLONG+LoaderData;
++++ULONGLONG+ProcessParameters;
++++ULONGLONG+SubSystemData;
++++ULONGLONG+ProcessHeap;
}+PEB64;

typedef+struct+_UNICODE_STRING64+{
++++USHORT+Length;
++++USHORT+MaximumLength;
++++ULONGLONG+Buffer;
}+UNICODE_STRING64;

typedef+struct+_LDR_DATA_TABLE_ENTRY64+{
++++LIST_ENTRY64+InLoadOrderModuleList;
++++LIST_ENTRY64+InMemoryOrderModuleList;
++++LIST_ENTRY64+InInitializationOrderModuleList;
++++ULONGLONG+BaseAddress;
++++ULONGLONG+EntryPoint;
++++DWORD64+SizeOfImage;
++++UNICODE_STRING64+FullDllName;
++++UNICODE_STRING64+BaseDllName;
++++ULONG+Flags;
++++SHORT+LoadCount;
++++SHORT+TlsIndex;
++++LIST_ENTRY64+HashTableEntry;
++++ULONGLONG+TimeDateStamp;
}+LDR_DATA_TABLE_ENTRY64,+*PLDR_DATA_TABLE_ENTRY64;

}++//+namespace+sys

//+------------------------------------------------------------------------
//+Function+prototypes.
//+------------------------------------------------------------------------

typedef+NTSTATUS(NTAPI+*_NtWow64QueryInformationProcess64)(
++++IN+HANDLE+ProcessHandle,
++++ULONG+ProcessInformationClass,
++++OUT+PVOID+ProcessInformation,
++++IN+ULONG+ProcessInformationLength,
++++OUT+PULONG+ReturnLength+OPTIONAL);

typedef+NTSTATUS(NTAPI+*_NtWow64ReadVirtualMemory64)(
++++IN+HANDLE+ProcessHandle,
++++IN+DWORD64+BaseAddress,
++++OUT+PVOID+Buffer,
++++IN+ULONG64+Size,
++++OUT+PDWORD64+NumberOfBytesRead);|2072747|如果您对初始结构定义感兴趣--我想出的最好方法是下载WinDbg的符号，然后在这个调试器中查看结构的布局。你可以在上面的文章中看到样品。|2072748|entityMap|0|LINK|mutability|MUTABLE|url|https://stackoverflow.com/questions/5714297/is-it-possible-to-read-process-memory-of-a-64-bit-process-from-a-32bit-app/36798492#36798492^0|18|W|25|Q|37|9|A|F|0|0|0|0|P|R|3|Y|3|1C|C|20|A|2F|A|2V|K|3L|K|0|0|0|0|5|B|0|4|P|W|W|0|5|3|C|P|0|4|3|A|Q|0|2|C|0|2|C|M|K|0|4|K|0|C|E|V|K|0|G|8|P|E|0|0|8|0|0|0|E|0|0|0^^$0|@$1|2|3|4|5|6|7|1U|8|@$9|1V|A|1W|B|C]|$9|1X|A|1Y|B|C]|$9|1Z|A|20|B|C]]|D|@$9|21|A|22|1|23]]|E|$]]|$1|F|3|G|5|6|7|24|8|@]|D|@]|E|$]]|$1|H|3|I|5|6|7|25|8|@$9|26|A|27|B|C]|$9|28|A|29|B|C]|$9|2A|A|2B|B|C]|$9|2C|A|2D|B|C]|$9|2E|A|2F|B|C]|$9|2G|A|2H|B|C]|$9|2I|A|2J|B|C]|$9|2K|A|2L|B|C]]|D|@]|E|$]]|$1|J|3|K|5|6|7|2M|8|@]|D|@]|E|$]]|$1|L|3|M|5|N|7|2N|8|@]|D|@]|E|$O|P]]|$1|Q|3|R|5|6|7|2O|8|@]|D|@]|E|$]]|$1|S|3|T|5|U|7|2P|8|@$9|2Q|A|2R|B|C]]|D|@]|E|$]]|$1|V|3|W|5|U|7|2S|8|@$9|2T|A|2U|B|C]|$9|2V|A|2W|B|C]]|D|@]|E|$]]|$1|X|3|Y|5|U|7|2X|8|@$9|2Y|A|2Z|B|C]|$9|30|A|31|B|C]]|D|@]|E|$]]|$1|Z|3|10|5|U|7|32|8|@$9|33|A|34|B|C]|$9|35|A|36|B|C]]|D|@]|E|$]]|$1|11|3|12|5|U|7|37|8|@$9|38|A|39|B|C]]|D|@]|E|$]]|$1|13|3|14|5|U|7|3A|8|@$9|3B|A|3C|B|C]|$9|3D|A|3E|B|C]]|D|@]|E|$]]|$1|15|3|16|5|U|7|3F|8|@$9|3G|A|3H|B|C]]|D|@]|E|$]]|$1|17|3|18|5|6|7|3I|8|@$9|3J|A|3K|B|C]|$9|3L|A|3M|B|C]]|D|@]|E|$]]|$1|19|3|1A|5|6|7|3N|8|@$9|3O|A|3P|B|C]|$9|3Q|A|3R|B|C]]|D|@]|E|$]]|$1|1B|3|1C|5|6|7|3S|8|@$9|3T|A|3U|B|1D]]|D|@]|E|$]]|$1|1E|3|1F|5|N|7|3V|8|@]|D|@]|E|$O|P]]|$1|1G|3|1H|5|6|7|3W|8|@$9|3X|A|3Y|B|1D]]|D|@]|E|$]]|$1|1I|3|1J|5|N|7|3Z|8|@]|D|@]|E|$O|P]]|$1|1K|3|1L|5|6|7|40|8|@]|D|@]|E|$]]|$1|1M|3|-4|5|6|7|41|8|@]|D|@]|E|$]]]|1N|$1O|$5|1P|1Q|1R|E|$1S|1T]]]]

Solution for your request has some intersections with the task of <a href="https://stackoverflow.com/questions/5714297/is-it-possible-to-read-process-memory-of-a-64-bit-process-from-a-32bit-app/36798492#36798492">reading x64 process memory from x86 process</a>. Mainly, we should be aware of functions <code>NtWow64QueryInformationProcess64</code> and <code>NtWow64ReadVirtualMemory64</code> which are present in x86 <code>ntdll.dll</code> and are designed specifically for getting information about x64 process from the x86 one.

We should also know some dependencies between OS structures.

<code>PROCESS_BASIC_INFORMATION</code> contains address of <code>PEB</code>. <code>PEB</code> stands for Process Environment Block. It contains address of <code>PEB_LDR_DATA</code> structure. It in turn contains address of the first <code>LDR_DATA_TABLE_ENTRY</code> structure in the <code>LIST_ENTRY</code> chain. <code>LDR_DATA_TABLE_ENTRY</code> contains link to the following <code>LDR_DATA_TABLE_ENTRY</code>.

Example of examining this information in WinDbg:

<pre><code>0:000&gt; !peb
PEB at 000007fffffdb000
...

0:000&gt; dt ntdll!_peb 000007fffffdb000
...
+0x018 Ldr : 0x00000000`76fbd640 _PEB_LDR_DATA
...

0:000&gt; dt ntdll!_PEB_LDR_DATA 76fbd640
...
+0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`00415bb0 - 0x00000000`070eb9c0 ]
...

0:000&gt; dt ntdll!_LDR_DATA_TABLE_ENTRY 00415bb0
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00000000`00415ca0 - 0x00000000`76fbd650 ]
...
+0x030 DllBase : 0x00000001`3f4d0000 Void
...
+0x058 BaseDllName : _UNICODE_STRING "procexp64.exe"
...

0:000&gt; dt ntdll!_LDR_DATA_TABLE_ENTRY 00415ca0
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00000000`00416020 - 0x00000000`00415bb0 ]
...
+0x030 DllBase : 0x00000000`76e90000 Void
...
+0x058 BaseDllName : _UNICODE_STRING "ntdll.dll"
...
</code></pre>

Steps to be taken in code are the following:

<ol>
<li>Obtain process handle with usual call to <code>OpenProcess</code> function.</li>
<li>Read <code>PROCESS_BASIC_INFORMATION</code> structure with call to <code>NtWow64QueryInformationProcess64</code>.</li>
<li>Get address of <code>PEB</code> which is present in <code>PROCESS_BASIC_INFORMATION</code> structure.</li>
<li>Read <code>PEB</code> structure with call to <code>NtWow64ReadVirtualMemory64</code>.</li>
<li>Get address of <code>PEB_LDR_DATA</code> structure.</li>
<li>Read <code>PEB_LDR_DATA</code> structure and get address of first <code>LDR_DATA_TABLE_ENTRY</code> element.</li>
<li>Keep on reading memory for <code>LDR_DATA_TABLE_ENTRY</code> element while the address of the next element is not equal to the address of the first element.</li>
</ol>

At step 7 we also read buffer of <code>UNICODE_STRING</code> (which resides in <code>LDR_DATA_TABLE_ENTRY</code>) to obtain current module name.

The code is provided below. It consists of two files, <code>main.cpp</code> and <code>os_structs.hpp</code>.

main.cpp:

<pre><code>#include "os_structs.hpp"

#include &lt;algorithm&gt;
#include &lt;codecvt&gt;
#include &lt;cstdint&gt;
#include &lt;iostream&gt;
#include &lt;stdexcept&gt;
#include &lt;string&gt;
#include &lt;vector&gt;

#ifndef WIN32
# error "This application must be built as an x86 executable"
#endif

#define GET_FUNC_ADDR(name) _##name name = (_##name)::GetProcAddress(::GetModuleHandleA("ntdll.dll"), #name)

#define IS_TRUE(clause, msg) if (!(clause)) { throw std::runtime_error(msg); }

namespace
{

struct close_on_exit
{
 close_on_exit(HANDLE ptr)
 : ptr_(ptr)
 { };

 ~close_on_exit()
 {
 if (ptr_)
 {
 ::CloseHandle(ptr_);
 ptr_ = nullptr;
 }
 }

private:
 HANDLE ptr_;
};

// Names of modules 
std::string convert_unicode_to_utf8(std::vector&lt;uint8_t&gt; &amp;raw_bytes)
{
 std::vector&lt;uint16_t&gt; unicode(raw_bytes.size() &gt;&gt; 1, 0);
 memcpy(unicode.data(), raw_bytes.data(), raw_bytes.size());

 std::wstring_convert&lt;std::codecvt_utf8&lt;wchar_t&gt;&gt; converter;

 const std::wstring wide_string(unicode.begin(), unicode.end());
 const std::string utf8_string = converter.to_bytes(wide_string);

 return utf8_string;
}

void *get_handle(uint32_t id)
{
 HANDLE handle = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);

 std::cout &lt;&lt; "Opening target process...";

 IS_TRUE(NULL != handle, "OpenProcess failed");

 std::cout &lt;&lt; " ok" &lt;&lt; std::endl;

 return handle;
}

void check_if_process_is_x64(HANDLE handle)
{
 BOOL is_wow64_process = TRUE;
 IS_TRUE(::IsWow64Process(handle, &amp;is_wow64_process), "IsWow64Process failed");
 IS_TRUE(FALSE == is_wow64_process, "Target process is not x64 one");
}

std::vector&lt;uint8_t&gt; read_mem(HANDLE handle, uint64_t address, uint32_t length)
{
 IS_TRUE(handle, "No process handle obtained");

 std::vector&lt;uint8_t&gt; data(length, 0);

 GET_FUNC_ADDR(NtWow64ReadVirtualMemory64);

 NTSTATUS status = NtWow64ReadVirtualMemory64(handle, address, data.data(), data.size(), FALSE);

 IS_TRUE(NT_SUCCESS(status), "NtWow64ReadVirtualMemory64 failed");

 return data;
}

void read_pbi(HANDLE handle, sys::PROCESS_BASIC_INFORMATION64 &amp;pbi)
{
 IS_TRUE(handle, "No process handle obtained");

 GET_FUNC_ADDR(NtWow64QueryInformationProcess64);

 NTSTATUS status = NtWow64QueryInformationProcess64(handle, sys::ProcessBasicInformation, &amp;pbi, sizeof(pbi), NULL);

 IS_TRUE(NT_SUCCESS(status), "NtQueryInformationProcess failed");
}

std::vector&lt;uint8_t&gt; read_peb_data(HANDLE handle)
{
 sys::PROCESS_BASIC_INFORMATION64 pbi = { 0 };
 read_pbi(handle, pbi);

 return read_mem(handle, pbi.PebBaseAddress, sizeof(sys::PEB64));
}

bool get_modules_load_order_via_peb(HANDLE handle)
{
 std::cout &lt;&lt; "Getting module load order...\n" &lt;&lt; std::endl;

 std::vector&lt;uint8_t&gt; read_peb = read_peb_data(handle);
 sys::PEB64 *peb = (sys::PEB64 *)read_peb.data();

 // ------------------------------------------------------------------------
 // Read memory from pointer to loader data structures.
 // ------------------------------------------------------------------------
 std::vector&lt;uint8_t&gt; read_peb_ldr_data = read_mem(handle, (uintptr_t)peb-&gt;LoaderData, sizeof(sys::PEB_LDR_DATA64));
 sys::PEB_LDR_DATA64 *peb_ldr_data = (sys::PEB_LDR_DATA64 *)read_peb_ldr_data.data();
 sys::PEB_LDR_DATA64 *loader_data = (sys::PEB_LDR_DATA64 *)peb-&gt;LoaderData;

 const uintptr_t addr_of_ptr_to_first_ldr_module = (uintptr_t)loader_data
 + ((uintptr_t)&amp;loader_data-&gt;InLoadOrderModuleList - (uintptr_t)&amp;loader_data-&gt;Length);

 ULONGLONG address = peb_ldr_data-&gt;InLoadOrderModuleList.Flink;

 uint32_t counter = 1;

 // ------------------------------------------------------------------------
 // Traversing loader data structures.
 // ------------------------------------------------------------------------
 do
 {
 std::vector&lt;uint8_t&gt; read_ldr_table_entry = read_mem(handle, address, sizeof(sys::LDR_DATA_TABLE_ENTRY64));

 sys::LDR_DATA_TABLE_ENTRY64 *ldr_table_entry = (sys::LDR_DATA_TABLE_ENTRY64 *)read_ldr_table_entry.data();

 std::vector&lt;uint8_t&gt; unicode_name = read_mem(handle, ldr_table_entry-&gt;BaseDllName.Buffer, ldr_table_entry-&gt;BaseDllName.MaximumLength);
 std::string name = convert_unicode_to_utf8(unicode_name);

 std::cout &lt;&lt; "Module: " &lt;&lt; name &lt;&lt; std::endl;
 std::cout &lt;&lt; " Image base: 0x" &lt;&lt; std::hex &lt;&lt; ldr_table_entry-&gt;BaseAddress &lt;&lt; std::endl;

 ldr_table_entry = (sys::LDR_DATA_TABLE_ENTRY64 *)read_ldr_table_entry.data();
 address = (uintptr_t)ldr_table_entry-&gt;InLoadOrderModuleList.Flink;
 } while (addr_of_ptr_to_first_ldr_module != address);

 std::cout &lt;&lt; "\nEnumeration finished" &lt;&lt; std::endl;

 return true;
}

} // namespace

int main()
{
 try
 {
 HANDLE handle = get_handle(16944);
 close_on_exit auto_close_handle(handle);

 check_if_process_is_x64(handle);
 get_modules_load_order_via_peb(handle);
 }
 catch (const std::runtime_error &amp;e)
 {
 std::cerr &lt;&lt; "\n----------------------------------------------------\n";
 std::cerr &lt;&lt; "Exception occurred: " &lt;&lt; e.what();
 std::cerr &lt;&lt; "\n----------------------------------------------------\n";
 }

 return 0;
}
</code></pre>

os_structs.hpp:

<pre><code>#pragma once

#include &lt;windows.h&gt;

#define NT_SUCCESS(x) ((x) &gt;= 0)

// Namespace is present Not to collide with "winbase.h"
// definition of PROCESS_INFORMATION_CLASS and others.
namespace sys
{

typedef enum _PROCESS_INFORMATION_CLASS {
 ProcessBasicInformation,
 ProcessQuotaLimits,
 ProcessIoCounters,
 ProcessVmCounters,
 ProcessTimes,
 ProcessBasePriority,
 ProcessRaisePriority,
 ProcessDebugPort,
 ProcessExceptionPort,
 ProcessAccessToken,
 ProcessLdtInformation,
 ProcessLdtSize,
 ProcessDefaultHardErrorMode,
 ProcessIoPortHandlers,
 ProcessPooledUsageAndLimits,
 ProcessWorkingSetWatch,
 ProcessUserModeIOPL,
 ProcessEnableAlignmentFaultFixup,
 ProcessPriorityClass,
 ProcessWx86Information,
 ProcessHandleCount,
 ProcessAffinityMask,
 ProcessPriorityBoost,
 MaxProcessInfoClass
} PROCESS_INFORMATION_CLASS, *PPROCESS_INFORMATION_CLASS;

// ------------------------------------------------------------------------
// Structs.
// ------------------------------------------------------------------------

typedef struct _PROCESS_BASIC_INFORMATION64 {
 ULONGLONG Reserved1;
 ULONGLONG PebBaseAddress;
 ULONGLONG Reserved2[2];
 ULONGLONG UniqueProcessId;
 ULONGLONG Reserved3;
} PROCESS_BASIC_INFORMATION64;

typedef struct _PEB_LDR_DATA64 {
 ULONG Length;
 BOOLEAN Initialized;
 ULONGLONG SsHandle;
 LIST_ENTRY64 InLoadOrderModuleList;
 LIST_ENTRY64 InMemoryOrderModuleList;
 LIST_ENTRY64 InInitializationOrderModuleList;
} PEB_LDR_DATA64, *PPEB_LDR_DATA64;

// Structure is cut down to ProcessHeap.
typedef struct _PEB64 {
 BOOLEAN InheritedAddressSpace;
 BOOLEAN ReadImageFileExecOptions;
 BOOLEAN BeingDebugged;
 BOOLEAN Spare;
 ULONGLONG Mutant;
 ULONGLONG ImageBaseAddress;
 ULONGLONG LoaderData;
 ULONGLONG ProcessParameters;
 ULONGLONG SubSystemData;
 ULONGLONG ProcessHeap;
} PEB64;

typedef struct _UNICODE_STRING64 {
 USHORT Length;
 USHORT MaximumLength;
 ULONGLONG Buffer;
} UNICODE_STRING64;

typedef struct _LDR_DATA_TABLE_ENTRY64 {
 LIST_ENTRY64 InLoadOrderModuleList;
 LIST_ENTRY64 InMemoryOrderModuleList;
 LIST_ENTRY64 InInitializationOrderModuleList;
 ULONGLONG BaseAddress;
 ULONGLONG EntryPoint;
 DWORD64 SizeOfImage;
 UNICODE_STRING64 FullDllName;
 UNICODE_STRING64 BaseDllName;
 ULONG Flags;
 SHORT LoadCount;
 SHORT TlsIndex;
 LIST_ENTRY64 HashTableEntry;
 ULONGLONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;

} // namespace sys

// ------------------------------------------------------------------------
// Function prototypes.
// ------------------------------------------------------------------------

typedef NTSTATUS(NTAPI *_NtWow64QueryInformationProcess64)(
 IN HANDLE ProcessHandle,
 ULONG ProcessInformationClass,
 OUT PVOID ProcessInformation,
 IN ULONG ProcessInformationLength,
 OUT PULONG ReturnLength OPTIONAL);

typedef NTSTATUS(NTAPI *_NtWow64ReadVirtualMemory64)(
 IN HANDLE ProcessHandle,
 IN DWORD64 BaseAddress,
 OUT PVOID Buffer,
 IN ULONG64 Size,
 OUT PDWORD64 NumberOfBytesRead);
</code></pre>

If you're interested in initial structure definitions - the best way I've figured out is to download symbols for WinDbg and then watch structures' layout in this debugger. You can see the sample in this post above.

I have a requirement to retrieve all modules of a 64bit process in a 32bit WOW process in Windows, <a href="http://msdn.microsoft.com/en-us/library/ms682631(VS.85).aspx" rel="noreferrer">EnumProcessModules</a> would fail as described:

<blockquote>
 If this function is called from a 32-bit application running on WOW64, it can only enumerate the modules of a 32-bit process. If the process is a 64-bit process, this function fails and the last error code is ERROR_PARTIAL_COPY (299).
</blockquote>

So as to EnumProcessModulesEx and CreateToolhelp32Snapshot.

Do you have any idea on how to achieve it?

Thanks.

How to enum modules in a 64bit process from a 32bit WOW process

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋 

腾讯云代码助手

CODING DevOps

Cloud Studio

SDK中心

API中心

命令行工具

我需要在Windows中的32位WOW进程中检索64位进程的所有模块，如所述，将失败：如果该函数是从运行在WOW64上的32位应用程序调用的，它只能枚举32位进程的模块。如果进程是64位进程，则此函数将失败，最后一个错误代码是ERROR_PARTIAL_COPY (299)。如EnumProcessModulesEx和...

问如何从32位WOW进程中激活64位进程中的模块
EN

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何从32位WOW进程中激活64位进程中的模块EN