modules
per-process directoryThe directory modules exists as a sub-directory in each process directory.
The modules directory contains one sub-directory for each loaded module (.DLLs and EXEs). It also contains the following files:
File | Description |
---|---|
modules.txt | Overview of loaded modules. |
modules-v.txt | Verbose overview of loaded modules. |
modules-versioninfo.txt | Module version information. |
unloaded_modules.txt | Information about unloaded modules. |
For kernel "processes" such as the System process in Windows (PID 4) the directory will contain loaded drivers (.SYS-files and .DLLs)
Each module directory contains a number of informational files and directories related to the loaded module. The files and directories and their contents are listed below:
File | Description |
---|---|
base.txt | Base virtual address of the module. |
debuginfo.txt | PDB debug information from the debug directory. |
directories.txt | Information about the 16 data directories in the PE/MZ header. |
entry.txt | Entry point virtual address of the module. |
export.txt | Functions exported by the module. |
import.txt | Functions imported by the module and their corresponding modules. |
pefile.dll | Best-effort reconstructed module, .exe/.dll/.sys, file from memory fragments. |
sections.txt | Sections of the module. |
size.txt | Size of the module. |
versioninfo.txt | Module version information. |
directoriesd | Directory containing a file for each of the 16 data directories. |
sectionsd | Directory containing a file for each section. |
Files in the individual module directories are read-only. pefile.dll and files in the directoriesd and sectionsd sub-directories are writable if a write-capable memory acquisition device is used.
The file export.txt contains information about exported functions. The meaning of the columns are as follows:
# Ordinal Offset Address Name ForwardedFunction
===============================================================================
0000 1000 39290 00007ff8892e9290 ---
0001 1001 2e380 00007ff8892de380 I_ScGetCurrentGroupStateW
0002 1002 0 0000000000000000 A_SHAFinal NTDLL.A_SHAFinal
0003 1003 0 0000000000000000 A_SHAInit NTDLL.A_SHAInit
0004 1004 0 0000000000000000 A_SHAUpdate NTDLL.A_SHAUpdate
0005 1005 43710 00007ff8892f3710 AbortSystemShutdownA
0006 1006 437b0 00007ff8892f37b0 AbortSystemShutdownW
...
The file sections.txt contains information about the module PE sections. The meaning of the columns are as follows:
# name memory_address base_offset size page file_offset size
=====================================================================
00 .text 00007ff7959a1000 00001000 0002e338 r-x 00000400 0002e400
...
05 .rsrc 00007ff7959fb000 0005b000 000084f8 r-- 0003b600 00008600
06 .reloc 00007ff795a04000 00064000 00000308 r-- 00043c00 00000400
The example below shows the files in the modules/ADVAPI.dll sub-directory of the connector_ctrl process. All files are related to the ADVAPI.dll module which is loaded into the connector_ctrl process.
Shown in Notepad are the sections of the .DLL. While Ubuntu shows the entry, size, exported functions and the three first imported functions.
[[resources/proc_modules.png]]
The modules sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_ldrmodules.c in the vmm project.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。