[Vol-users] Working of ldrmodules ?
gurujack at gmail.com
Thu Oct 23 05:51:24 CDT 2014
So am not sure, if I understood, the working of ldrmodules correctly, but
in short, for each process, I imagine it looks at the VAD; and for each dll
found there compares it with the 3 lists in the process PEB and reports
back on any discrepancy.
A snippet, from vadinfo for a process with pid 12128, I can see a dll mapped
VAD node @ 0xfffffa80088378c0 Start 0x0000000000040000 End
0x0000000000040fff Tag Vad
Flags: Protection: 7, VadType: 2
Vad Type: VadImageMap
ControlArea @fffffa8006a86c40 Segment fffff8a00021d4e0
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences: 1 NumberOfPfnReferences: 1
NumberOfMappedViews: 119 NumberOfUserReferences: 120
WaitingForDeletion Event: 00000000
Control Flags: File: 1, Image: 1
FileObject @fffffa80069c5250, Name: \Windows\System32\apisetschema.dll
First prototype PTE: fffff8a00021d5a8 Last contiguous PTE: fffffffffffffffc
Flags2: Inherit: 1
But ldrmodules (or dlllist) over the image, does not show that dll.
cat ldrmodules.txt | grep -i apiset
cat dlllist.txt | grep -i apiset
The process in question has a pid of 12128, so on a frequency count, there
is a large discrepancy, that I don't understand why.
cat ldrmodules.txt | grep 12128 | wc -l
cat vadinfo-12128.txt | grep dll | wc -l
Any pointers to a link I should read up on to understand the concepts here.
Should not have ldrmodules, reported on all the dlls that were found as
mapped files in the VAD ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users