Results 1 to 6 of 6

Thread: GetModuleHandle

  1. 10-18-2010, 10:34 PM
    #1

    1337

    Expand

    Iamazn's Avatar
    • My Statistics
      Join Date
      Jul 2009
      Location
      California
      Posts
      2,110
      Contest Points
      0
      Beli
      0
      Received Thanks
      1,891
      Beli
      0 (0 Banked)
      EZKoins
      0 (0 Banked)

    Default GetModuleHandle

    How exactly does GetModuleHandle work? I want to know how it works, mainly exactly what it does.

  2. 10-19-2010, 09:07 PM
    #2

    http://pastie.org/1986240

    Expand


    • My Statistics
      Join Date
      Aug 2009
      Posts
      836
      Contest Points
      0
      Beli
      0
      Received Thanks
      1,596
      Beli
      0 (0 Banked)
      EZKoins
      0 (0 Banked)

    Default Re: GetModuleHandle

    It basically returns a pointer to the module loaded by the calling process, or a null pointer if the module is not loaded. I don't really know why the return value is a handle, but because it is, Windows (probably the kernel) keeps track of it. IIRC, there is a limit to the number of handles to a module, but calling GetModuleHandle does not increase the handle count.

    These links would probably be of more help.

    [Dear Visitor, you're restricted from viewing links until you are registered & logged on.
    Click Here To Register Today


    [Dear Visitor, you're restricted from viewing links until you are registered & logged on.
    Click Here To Register Today
    CBF CBF CBF CBF CBF C FBCBFBFNBFBGGF says:
    *FAP TO ME
    imp_volatile says:
    *i already have
    CBF CBF CBF CBF CBF C FBCBFBFNBFBGGF says:
    *DO IT AGAIN
    imp_volatile says:
    *1 finger in the butt
    *one hand on the penis
    *another hand holding my sack

  3. 10-19-2010, 10:45 PM
    #3

    1337

    Expand

    Iamazn's Avatar
    • My Statistics
      Join Date
      Jul 2009
      Location
      California
      Posts
      2,110
      Contest Points
      0
      Beli
      0
      Received Thanks
      1,891
      Beli
      0 (0 Banked)
      EZKoins
      0 (0 Banked)

    Default Re: GetModuleHandle

    Quote Originally Posted by Waffle
    [Dear Visitor, you're restricted from viewing links until you are registered & logged on.
    Click Here To Register Today
    It basically returns a pointer to the module loaded by the calling process, or a null pointer if the module is not loaded. I don't really know why the return value is a handle, but because it is, Windows (probably the kernel) keeps track of it. IIRC, there is a limit to the number of handles to a module, but calling GetModuleHandle does not increase the handle count.

    These links would probably be of more help.

    [Dear Visitor, you're restricted from viewing links until you are registered & logged on.
    Click Here To Register Today


    [Dear Visitor, you're restricted from viewing links until you are registered & logged on.
    Click Here To Register Today
    Eh, I know what it returns, and what it's used for. I need to know how it works, and how to use ReadProcessMemory to simulate its effects, since VB:
    -Can't use GetModuleHandle on Combat Arms (or any other process)
    -Process.Modules(0).BaseAddress gives me an access is denied error (CShell, every other module is shown).

  4. 10-19-2010, 10:46 PM
    #4

    Informed Hacker

    Expand

    Popkorn's Avatar
    • My Statistics
      Join Date
      Mar 2010
      Posts
      109
      Contest Points
      0
      Beli
      0
      Received Thanks
      30
      Beli
      0 (0 Banked)
      EZKoins
      0 (0 Banked)

    Default Re: GetModuleHandle

    Add :
    GetModuleHandle search in the process PEB for the given modulename. So if you link your module out there/overjump it GetModuleHandle would find nothing.

    Edit :
    Haven't read your last post...

    As you know now the process PEB holds the information you want...

    [Dear Visitor, you're restricted from viewing links until you are registered & logged on.
    Click Here To Register Today


    Should help you...

    If the module you want to detect is unlinked from the PEB you can still find it in other ways. (memory region image flag is set)

    ~Popkorn
    Last edited by Popkorn; 10-19-2010 at 10:54 PM.
    Need some zed in NA or EU Wonderking? Nice! I'm selling very cheap .. just send a pm to me.

  5. 10-24-2010, 08:50 PM
    #5

    Veteran Hacker

    Expand

    CreditCard's Avatar
    • My Statistics
      Join Date
      Aug 2009
      Location
      CSEAX
      Posts
      248
      Contest Points
      0
      Beli
      0
      Received Thanks
      86
      Beli
      0 (0 Banked)
      EZKoins
      0 (0 Banked)

    Default Re: GetModuleHandle

    Quote Originally Posted by Iamazn
    [Dear Visitor, you're restricted from viewing links until you are registered & logged on.
    Click Here To Register Today
    Eh, I know what it returns, and what it's used for. I need to know how it works, and how to use ReadProcessMemory to simulate its effects, since VB:
    -Can't use GetModuleHandle on Combat Arms (or any other process)
    -Process.Modules(0).BaseAddress gives me an access is denied error (CShell, every other module is shown).
    change protection of pages:

    VirtualProtect may help.

  6. The Following 1 Users Say Thank You to CreditCard For This Useful Post:

    Iamazn (10-31-2010)

  7. 11-05-2010, 10:58 PM
    #6

    Super Noob

    Expand

    Ignignokt's Avatar
    • My Statistics
      Join Date
      Oct 2010
      Location
      The Moon
      Posts
      43
      Contest Points
      0
      Beli
      0
      Received Thanks
      5
      Beli
      0 (0 Banked)
      EZKoins
      0 (0 Banked)

    Default Re: GetModuleHandle

    Quote Originally Posted by Popkorn
    [Dear Visitor, you're restricted from viewing links until you are registered & logged on.
    Click Here To Register Today
    Add :
    GetModuleHandle search in the process PEB for the given modulename. So if you link your module out there/overjump it GetModuleHandle would find nothing.

    Edit :
    Haven't read your last post...

    As you know now the process PEB holds the information you want...

    [Dear Visitor, you're restricted from viewing links until you are registered & logged on.
    Click Here To Register Today


    Should help you...

    If the module you want to detect is unlinked from the PEB you can still find it in other ways. (memory region image flag is set)

    ~Popkorn
    Very good.

    GetModuleHandle acquires the pointer to the PEB and then acquires a pointer to PPEB_LDR_DATA struct which has 3 pointers to the doubly linked lists of all loaded modules. Also as you notated, you can detect if a module has been unlinked by checking memory flags. If you wish to acquire a full module name and path, NtQueryVirtualMemory should do the trick.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
"