How to determine DLLs loaded in 64bit process from a 32bit process?

Discussion in 'Windows 64bit' started by Pieter, Jun 7, 2005.

  1. Pieter

    Pieter Guest

    How do I determine information on the DLLs that are loaded in a 64bit
    process from a 32bit process on WIN64?

    If I use PSAPI, I get errors indicating that the virtual memory (of the
    64bit process) was only partially read.
    The ToolHelp API fails even sooner than the PSAPI API.

    My code is similar to the PSAPI example:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/perfmon/base/enumerating_all_modules_for_a_process.asp


    Any ideas?

    Pieter
     
    Pieter, Jun 7, 2005
    #1
    1. Advertisements

  2. sizeof(HMODULE) is different on 64 bit so these functions can't
    work across 32->64 boundary.
     
    Pavel Lebedinsky [MSFT], Jun 8, 2005
    #2
    1. Advertisements

  3. Pieter

    Pieter Guest

    Maybe I wasn't specific enough, I want the process- and the DLL path names.

    I.e. From my WoW64 WIN32 process, I want to iterate all processes (WoW64
    WIN32 and native WIN64) and determine the path to each EXE and each DLL in
    that EXE.

    Any more ideas?

    are different
     
    Pieter, Jun 8, 2005
    #3
  4. Hello Pieter,
    You may want to try depends.exe from the support.cab on the cd.
    Thanks,
    Darrell Gorter[MSFT]

    This posting is provided "AS IS" with no warranties, and confers no rights
    --------------------
    <From: "Pieter" <>
    <References: <>
    <>
    <Subject: Re: How to determine DLLs loaded in 64bit process from a 32bit
    process?
    <Date: Wed, 8 Jun 2005 11:38:24 -0700
    <Lines: 33
    <X-Priority: 3
    <X-MSMail-Priority: Normal
    <X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
    <X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    <X-RFC2646: Format=Flowed; Response
    <Message-ID: <>
    <Newsgroups:
    microsoft.public.win32.programmer.kernel,microsoft.public.windows.64bit.gene
    ral
    <NNTP-Posting-Host: 65.88.178.10
    <Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    <Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.64bit.general:6502
    microsoft.public.win32.programmer.kernel:12451
    <X-Tomcat-NG: microsoft.public.windows.64bit.general
    <
    <Maybe I wasn't specific enough, I want the process- and the DLL path names.
    <
    <I.e. From my WoW64 WIN32 process, I want to iterate all processes (WoW64
    <WIN32 and native WIN64) and determine the path to each EXE and each DLL in
    <that EXE.
    <
    <Any more ideas?
    <
    < are different
    <<> sizeof(HMODULE) is different on 64 bit so these functions can't
    <> work across 32->64 boundary.
    <>
    <> --
    <> This posting is provided "AS IS" with no warranties, and confers no
    <> rights.
    <>
    <> "Pieter" wrote:
    <>
    <>> How do I determine information on the DLLs that are loaded in a 64bit
    <>> process from a 32bit process on WIN64?
    <>>
    <>> If I use PSAPI, I get errors indicating that the virtual memory (of the
    <>> 64bit process) was only partially read.
    <>> The ToolHelp API fails even sooner than the PSAPI API.
    <>>
    <>> My code is similar to the PSAPI example:
    <>>
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/perfmon/bas
    e/enumerating_all_modules_for_a_process.asp
    <>
    <>
    <
    <
    <
     
    Darrell Gorter[MSFT], Jun 8, 2005
    #4
  5. Hello Pieter,
    Posted too quickly, after it's open, choose the view menu and select full
    paths option to get the pathing to the files.
    Thanks,
    Darrell Gorter[MSFT]

    This posting is provided "AS IS" with no warranties, and confers no rights
    --------------------
    <X-Tomcat-ID: 542463493
    <References: <>
    <>
    <>
    <MIME-Version: 1.0
    <Content-Type: text/plain
    <Content-Transfer-Encoding: 7bit
    <From: ("Darrell Gorter[MSFT]")
    <Organization: Microsoft
    <Date: Wed, 08 Jun 2005 22:01:06 GMT
    <Subject: Re: How to determine DLLs loaded in 64bit process from a 32bit
    process?
    <X-Tomcat-NG: microsoft.public.windows.64bit.general
    <Message-ID: <>
    <Newsgroups: microsoft.public.windows.64bit.general
    <Lines: 57
    <Path: TK2MSFTNGXA01.phx.gbl
    <Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.64bit.general:6538
    <NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
    <
    <Hello Pieter,
    <You may want to try depends.exe from the support.cab on the cd.
    <Thanks,
    <Darrell Gorter[MSFT]
    <
    <This posting is provided "AS IS" with no warranties, and confers no rights
    <--------------------
    <<From: "Pieter" <>
    <<References: <>
    <<>
    <<Subject: Re: How to determine DLLs loaded in 64bit process from a 32bit
    <process?
    <<Date: Wed, 8 Jun 2005 11:38:24 -0700
    <<Lines: 33
    <<X-Priority: 3
    <<X-MSMail-Priority: Normal
    <<X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
    <<X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    <<X-RFC2646: Format=Flowed; Response
    <<Message-ID: <>
    <<Newsgroups:
    <microsoft.public.win32.programmer.kernel,microsoft.public.windows.64bit.gen
    e
    <ral
    <<NNTP-Posting-Host: 65.88.178.10
    <<Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    <<Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.64bit.general:6502
    <microsoft.public.win32.programmer.kernel:12451
    <<X-Tomcat-NG: microsoft.public.windows.64bit.general
    <<
    <<Maybe I wasn't specific enough, I want the process- and the DLL path
    names.
    <<
    <<I.e. From my WoW64 WIN32 process, I want to iterate all processes (WoW64
    <<WIN32 and native WIN64) and determine the path to each EXE and each DLL
    in
    <<that EXE.
    <<
    <<Any more ideas?
    <<
    << are different
    <<<<> sizeof(HMODULE) is different on 64 bit so these functions can't
    <<> work across 32->64 boundary.
    <<>
    <<> --
    <<> This posting is provided "AS IS" with no warranties, and confers no
    <<> rights.
    <<>
    <<> "Pieter" wrote:
    <<>
    <<>> How do I determine information on the DLLs that are loaded in a 64bit
    <<>> process from a 32bit process on WIN64?
    <<>>
    <<>> If I use PSAPI, I get errors indicating that the virtual memory (of
    the
    <<>> 64bit process) was only partially read.
    <<>> The ToolHelp API fails even sooner than the PSAPI API.
    <<>>
    <<>> My code is similar to the PSAPI example:
    <<>>
    <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/perfmon/ba
    s
    <e/enumerating_all_modules_for_a_process.asp
    <<>
    <<>
    <<
    <<
    <<
    <
    <
     
    Darrell Gorter[MSFT], Jun 8, 2005
    #5
  6. Pieter

    Pieter Guest

    Depends shows static dependency information, this does not meet my
    requirements.

    I am interested in which processes are running now, and which DLLs are
    loaded in those processes.

    Any other ideas?

     
    Pieter, Jun 9, 2005
    #6
  7. Pieter

    Jason Durbin Guest

    How about this?

    http://www.sysinternals.com/Utilities/ProcessExplorer.html

    Start up Process Explorer to show active processes, select
    View--->Lower Panel View---> DLLs

    -jd
    j e d @ comcast.net
     
    Jason Durbin, Jun 9, 2005
    #7
  8. Pieter

    Pieter Guest

    I am not looking for utilities, I am looking for C++ code.

    FYI...
    You will notice that process explorer is a WIN32 application, that carries a
    WIN64 application as an embedded binary resource.
    When executing the WIN32 process on a WIN64 system, the WIN32 process
    extracts and launches the embedded WIN64 application.
    Thus it is not a WIN32 application that shows the system information, it is
    actually a WIN64 application.
    They actually go further by also launching a kernel mode driver (also
    embedded as a binary resource) to extract other information that is not
    directly available in usermode.
     
    Pieter, Jun 9, 2005
    #8
  9. Hello Pieter,
    If just want the dlls names then tasklist /m shows that.
    But I am not sure that's everything. It only shows the dlls, not where
    they are located.
    Thanks,
    Darrell Gorter[MSFT]

    This posting is provided "AS IS" with no warranties, and confers no rights
    --------------------
    <From: "Pieter" <>
    <References: <>
    <>
    <>
    <>
    <>
    <Subject: Re: How to determine DLLs loaded in 64bit process from a 32bit
    process?
    <Date: Thu, 9 Jun 2005 12:44:08 -0700
    <Lines: 114
    <X-Priority: 3
    <X-MSMail-Priority: Normal
    <X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
    <X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
    <X-RFC2646: Format=Flowed; Original
    <Message-ID: <>
    <Newsgroups: microsoft.public.windows.64bit.general
    <NNTP-Posting-Host: 65.88.178.10
    <Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    <Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.64bit.general:6666
    <X-Tomcat-NG: microsoft.public.windows.64bit.general
    <
    <Depends shows static dependency information, this does not meet my
    <requirements.
    <
    <I am interested in which processes are running now, and which DLLs are
    <loaded in those processes.
    <
    <Any other ideas?
    <
    <<> Hello Pieter,
    <> Posted too quickly, after it's open, choose the view menu and select full
    <> paths option to get the pathing to the files.
    <> Thanks,
    <> Darrell Gorter[MSFT]
    <>
    <> This posting is provided "AS IS" with no warranties, and confers no
    rights
    <> --------------------
    <> <X-Tomcat-ID: 542463493
    <> <References: <>
    <> <>
    <> <>
    <> <MIME-Version: 1.0
    <> <Content-Type: text/plain
    <> <Content-Transfer-Encoding: 7bit
    <> <From: ("Darrell Gorter[MSFT]")
    <> <Organization: Microsoft
    <> <Date: Wed, 08 Jun 2005 22:01:06 GMT
    <> <Subject: Re: How to determine DLLs loaded in 64bit process from a 32bit
    <> process?
    <> <X-Tomcat-NG: microsoft.public.windows.64bit.general
    <> <Message-ID: <>
    <> <Newsgroups: microsoft.public.windows.64bit.general
    <> <Lines: 57
    <> <Path: TK2MSFTNGXA01.phx.gbl
    <> <Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.64bit.general:6538
    <> <NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
    <> <
    <> <Hello Pieter,
    <> <You may want to try depends.exe from the support.cab on the cd.
    <> <Thanks,
    <> <Darrell Gorter[MSFT]
    <> <
    <> <This posting is provided "AS IS" with no warranties, and confers no
    <> rights
    <> <--------------------
    <> <<From: "Pieter" <>
    <> <<References: <>
    <> <<>
    <> <<Subject: Re: How to determine DLLs loaded in 64bit process from a 32bit
    <> <process?
    <> <<Date: Wed, 8 Jun 2005 11:38:24 -0700
    <> <<Lines: 33
    <> <<X-Priority: 3
    <> <<X-MSMail-Priority: Normal
    <> <<X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
    <> <<X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    <> <<X-RFC2646: Format=Flowed; Response
    <> <<Message-ID: <>
    <> <<Newsgroups:
    <>
    <microsoft.public.win32.programmer.kernel,microsoft.public.windows.64bit.gen
    <> e
    <> <ral
    <> <<NNTP-Posting-Host: 65.88.178.10
    <> <<Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    <> <<Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.64bit.general:6502
    <> <microsoft.public.win32.programmer.kernel:12451
    <> <<X-Tomcat-NG: microsoft.public.windows.64bit.general
    <> <<
    <> <<Maybe I wasn't specific enough, I want the process- and the DLL path
    <> names.
    <> <<
    <> <<I.e. From my WoW64 WIN32 process, I want to iterate all processes
    (WoW64
    <> <<WIN32 and native WIN64) and determine the path to each EXE and each DLL
    <> in
    <> <<that EXE.
    <> <<
    <> <<Any more ideas?
    <> <<
    <> << are different
    <> <<<> <<> sizeof(HMODULE) is different on 64 bit so these functions can't
    <> <<> work across 32->64 boundary.
    <> <<>
    <> <<> --
    <> <<> This posting is provided "AS IS" with no warranties, and confers no
    <> <<> rights.
    <> <<>
    <> <<> "Pieter" wrote:
    <> <<>
    <> <<>> How do I determine information on the DLLs that are loaded in a
    64bit
    <> <<>> process from a 32bit process on WIN64?
    <> <<>>
    <> <<>> If I use PSAPI, I get errors indicating that the virtual memory (of
    <> the
    <> <<>> 64bit process) was only partially read.
    <> <<>> The ToolHelp API fails even sooner than the PSAPI API.
    <> <<>>
    <> <<>> My code is similar to the PSAPI example:
    <> <<>>
    <>
    <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/perfmon/ba
    <> s
    <> <e/enumerating_all_modules_for_a_process.asp
    <> <<>
    <> <<>
    <> <<
    <> <<
    <> <<
    <> <
    <> <
    <>
    <
    <
    <
     
    Darrell Gorter[MSFT], Jun 9, 2005
    #9
  10. Pieter

    Pieter Guest

    I am not looking for utilities, I am looking for C++ code.

     
    Pieter, Jun 9, 2005
    #10
  11. I suspect that there is no way to do this. Information about loaded modules
    is maintained in user mode (in the form of linked lists in the PEB) so
    getting
    to it from another process is a bit tricky. Things like EnumProcessModules
    are not even guaranteed to be 100% reliable since the target process can
    mess with its PEB and change the results. These APIs really exist for use by
    tools like debuggers or tlist.exe, and have inherent limitations when you
    try
    to use them from a 32 bit process against a 64 one (just like a 32 bit
    debugger would have problems debugging a 64 bit target).
     
    Pavel Lebedinsky [MSFT], Jun 11, 2005
    #11
  12. Pieter

    Pieter Guest

    Thanks, direct exploration of the PEB was my next avenue of research.

    In the June 2005 issue of C/C++ users journal:
    http://www.cuj.com/documents/s=8188/cuj0506brown/
    There is an article that mentions interesting looking functions, if I
    interpret the names correctly, I should be able to view the PEB of a 64bit
    process from my 32bit process.

    Do you have any more information on the undocumented:
    NtWow64QueryInformationProcess64()
    NtWow64QueryVirtualMemory64()
    NtWow64ReadVirtualMemory64()


    Pieter

     
    Pieter, Jun 12, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.