[Vol-users] Working of ldrmodules ?

Jamison Bosco gurujack at gmail.com
Thu Oct 23 05:51:24 CDT 2014


Hello Group,

So am not sure, if I understood, the working of ldrmodules correctly, but
in short, for each process, I imagine it looks at the VAD; and for each dll
found there compares it with the 3 lists in the process PEB and reports
back on any discrepancy.


A snippet, from vadinfo for a process with pid 12128, I can see a dll mapped


VAD node @ 0xfffffa80088378c0 Start 0x0000000000040000 End
0x0000000000040fff Tag Vad
Flags: Protection: 7, VadType: 2
Protection: PAGE_EXECUTE_WRITECOPY
Vad Type: VadImageMap
ControlArea @fffffa8006a86c40 Segment fffff8a00021d4e0
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences:          1 NumberOfPfnReferences:           1
NumberOfMappedViews:              119 NumberOfUserReferences:        120
WaitingForDeletion Event:  00000000
Control Flags: File: 1, Image: 1
FileObject @fffffa80069c5250, Name: \Windows\System32\apisetschema.dll
First prototype PTE: fffff8a00021d5a8 Last contiguous PTE: fffffffffffffffc
Flags2: Inherit: 1


But ldrmodules (or dlllist) over the image, does not show that dll.

cat ldrmodules.txt | grep -i apiset
cat dlllist.txt | grep -i apiset


The process in question has a pid of 12128, so on a frequency count, there
is a large discrepancy, that I don't understand why.

cat ldrmodules.txt | grep 12128 | wc -l
54

cat vadinfo-12128.txt | grep dll | wc -l
130

Any pointers to a link I should read up on to understand the concepts here.

Should not have ldrmodules, reported on all the dlls that were found as
mapped files in the VAD ?

Thanks,
JB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20141023/24c39f40/attachment.html


More information about the Vol-users mailing list