Solved

Get import table of a running process

Posted on 2003-11-11
16
1,012 Views
Last Modified: 2012-06-27
Hello,

I know the handle of an running process (  hProcess := OpenProcess(AccessRights, FALSE, PID); ) and I want to know which DLL files it have loaded. I do not want to know which DLL is in the process space of this running process (injected DLLs can be also in the process space, but injected DLLs are not loaded from a process, because injected DLLs are injected to the process.)
That means I can not use EnumProcessModules or Module32First, because these functions also enumerate the injected DLLs.
A solution could be to get the import table of this running process and look for the DLLs which the process is using. How can I do this? The .exe file of the running process is compressed, so I have to get the import table from the process in memory - not from the .exe file.
The solution should work on Windows NT (Win9x would be fine).

Thanky you for your answer for this difficult question
Ben

BTW: I think, here you can found something similar: Look for "function GetProcAddress32" at http://www.delphipages.com/news/detaildocs.cfm?ID=17
or look for "FindCallerModuleHandle" on http://groups.google.com

0
Comment
Question by:bengore
  • 8
  • 4
  • 2
16 Comments
 
LVL 6

Accepted Solution

by:
GloomyFriar earned 250 total points
ID: 9721872
In a "running process" there is no differences between "loaded" and "injected" DLLs.
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9721884
"import table" may contain not all DLLs. How about DLLs loaded by LoadLibrary?
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9721901
Could you tell more detailed what do you want to make?
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:bengore
ID: 9721915
GloomyFriar, thank you for your comments.
How about DLLs linked static (not loaded by LoadLibrary). Is there a way to get this DLLs via "import table"?
0
 

Author Comment

by:bengore
ID: 9721974
More details? I have a DLL file. I want to know if a processes (somethimes with comressed .exe files) needs this DLL file (static linked).
0
 
LVL 6

Assisted Solution

by:DaFox
DaFox earned 250 total points
ID: 9722777
In Jeffrey Richter's book there is a DLL called ImgWalk.dll (lists all DLLs used by a process).

Markus
0
 

Author Comment

by:bengore
ID: 9723271
DaFox, I think ImgWalk.dll use EnumProcessModules or Module32First and enumerate also injected DLLs.
0
 
LVL 6

Expert Comment

by:DaFox
ID: 9723316
>> I think ImgWalk.dll use EnumProcessModules or Module32First

nope, it uses VirtualQuery that fills the MEMORY_BASIC_INFORMATION structure.

>> injected DLLs

that's right, and therefore it also gets dynamically loaded dlls.

Markus
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9724609
>How about DLLs linked static (not loaded by LoadLibrary). Is there a way to get this DLLs via "import table"?
Yes of course.
You just need to open the exe file and read its PE header.
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9724711
Something like that (it work with running exe, but you can do the same with a file):

function FindUsablePage(hProcess: THANDLE; PProcessBase: pointer): pointer;
var peHdrOffset: DWORD;
    cBytesMoved: DWORD;
    ntHdr: IMAGE_NT_HEADERS;
    pSection: ^IMAGE_SECTION_HEADER;
    i: ULONG;
    tmpPtr: PBYTE;
    section: IMAGE_SECTION_HEADER;
    SecName: string;
begin
   Result := nil;

   // Read in the offset of the PE header within the debuggee
   tmpPtr := PBYTE(PProcessBase);
   inc(tmpPtr, $3C);
   if ReadProcessMemory(ProcessInformation.hProcess,
                        tmpPtr,
                        @peHdrOffset,
                        sizeof(peHdrOffset),
                        cBytesMoved) = False then Exit;

   // Read in the IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode field
   tmpPtr := PBYTE(PProcessBase);
   inc(tmpPtr, peHdrOffset);
   if ReadProcessMemory(ProcessInformation.hProcess,
                        tmpPtr, @ntHdr, sizeof(ntHdr),
                        cBytesMoved) = False then Exit;

   tmpPtr := PBYTE(PProcessBase);
   inc(tmpPtr, peHdrOffset + 4 + sizeof(ntHdr.FileHeader) +
       ntHdr.FileHeader.SizeOfOptionalHeader);
   pSection := pointer(tmpPtr);//(PIMAGE_SECTION_HEADER)

  for i:=0 to Pred(ntHdr.FileHeader.NumberOfSections) do begin
     //{IMAGE_SECTION_HEADER section;
     if ReadProcessMemory(ProcessInformation.hProcess,
                          pSection, @section, sizeof(section),
                          cBytesMoved) = False then Exit;
     // OutputDebugString( "trying section:
     // OutputDebugString( section.Name )'
     // OutputDebugString( "\r\n" )'

     SecName := StrPas(@section.Name[0]);
     // If it's writeable, and not the .idata section, we'll go with it
     if(((section.Characteristics and IMAGE_SCN_MEM_WRITE) <> 0) and
        (StrLComp(@section.Name[0], '.idata', 6) <> 0)) then begin
         OutputDebugString(PChar('using section.' + StrPas(@section.Name[0]) + #10 + #13));
        Result := pointer(DWORD(PProcessBase) + section.VirtualAddress);
        //Exit;
     end;
     Inc(pSection); // Not this section. Advance to next section.
  end;
end;
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9724775
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9724991
Here is the code that read exports, but it's rather easy to make it read imports.
If any problems I'll can help tomorrow.

http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_20079575.html
0
 

Author Comment

by:bengore
ID: 9729404
Hi GloomyFriar, thank you for your FindUsablePage source and the other links. I will check it.

> You just need to open the exe file and read its PE header.
This is not usefull, if the .exe file is compressed.
0
 
LVL 6

Expert Comment

by:GloomyFriar
ID: 9733230
>This is not usefull, if the .exe file is compressed.
Which compressor is used?
Are you sure that import sections is changed by the compressor?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Delphi TcxGrid group footer summary 3 323
Delphi: how to send PJL commands to printer 3 109
Convert MS Word document to a PDF file 9 92
Firemonkey allowing RTL on android 6 47
Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question