uLib  User mode C/C++ extended API library for Win32 programmers.
Typedefs | Functions
Experimental and Supplementary API's
Native Function Support (NTDLL).

Module Description

These APIs are based on NTDLL functions.

Typedefs

typedef bool(__stdcall * PFnEnumModuleAction) (HANDLE hProcess, const PLDR_MODULE pModule, PVOID Context)
 

Functions

PPEB GetPEBAddress (HANDLE hProcess)
 
bool GetProcPEB (HANDLE hProcess, OUT PPEB pPeb)
 
bool GetProcPathname (DWORD procId, OUT TSTR PathName, UINT ccPathName)
 
bool CopyProcUStringBuf (HANDLE hProc, PUNICODE_STRING pProcStr, OUT WSTR wzBuf, UINT ccBuf)
 
UINT GetProcDllData (HANDLE hProcess, WCSTR DllName, OUT PLDR_MODULE pModule, bool Localize)
 
void FreeLdrModBuffers (PLDR_MODULE pMod)
 
UINT EnumProcModules (HANDLE hProcess, PFnEnumModuleAction Action, PVOID Context)
 

Typedef Documentation

◆ PFnEnumModuleAction

typedef bool(__stdcall * PFnEnumModuleAction) (HANDLE hProcess, const PLDR_MODULE pModule, PVOID Context)

PFnEnumModuleAction is the action callback for EnumProcModules().

Your callback recieves a pointer to a LDR_MODULE struct for each DLL.
Note that the very first one represents the hProcess executable itself.
Note also that the module name strings in pModule are not imported,
for performance reasons. If you need them you may use CopyProcUStringBuf().

The callback should return true to continue enumeration, or false to stop.

Definition at line 162 of file NtFunc.h.

Function Documentation

◆ GetPEBAddress()

PPEB GetPEBAddress ( HANDLE  hProcess)

Get the PEB address in hProcess memory space.

Definition at line 80 of file NtFunc.cpp.

◆ GetProcPEB()

bool GetProcPEB ( HANDLE  hProcess,
OUT PPEB  pPeb 
)

Copy the PEB of hProcess into caller's buffer.

◆ GetProcPathname()

bool GetProcPathname ( DWORD  procId,
OUT TSTR  PathName,
UINT  ccPathName 
)

GetProcPathname retrieves the full pathname for a given process Id.

PathName is the receiving buffer, and ccPathBuf it's length, in chars.
On error it returns false, and GetLastError() has the code.

GetProcPathname requires only PROCESS_QUERY_LIMITED_INFORMATION,
so it's leaner than GetModuleFileNameEx(), more concise than GetProcessImageFileName(),
and doesn't require Vista like QueryFullProcessImageName().

Definition at line 294 of file NtFunc.cpp.

◆ CopyProcUStringBuf()

bool CopyProcUStringBuf ( HANDLE  hProc,
PUNICODE_STRING  pProcStr,
OUT WSTR  wzBuf,
UINT  ccBuf 
)

[PRELIMINARY] CopyProcUStringBuf copies the Buffer content of a
UNICODE_STRING in another process (e.g from it's PEB or a LDR_MODULE).
The copied string will always be null terminated.
Note that the pProcStr addresses should be in hProc's virtual address space.

◆ GetProcDllData()

UINT GetProcDllData ( HANDLE  hProcess,
WCSTR  DllName,
OUT PLDR_MODULE  pModule,
bool  Localize 
)

[PRELIMINARY] GetProcDllData locates the LDR entry for DllName in hProcess.

If found, it returns the nr of bytes copied to caller's LDR_MODULE buffer.
If not, it sets pModule->SizeOfImage = 0, and returns zero.

Localize specifies whether to duplicate the process name strings into LDR_MODULE.
Note: If the function succeeds and Localize is true, you must pass the LDR_MODULE to FreeLdrModBuffers() when done.

◆ FreeLdrModBuffers()

void FreeLdrModBuffers ( PLDR_MODULE  pMod)

[PRELIMINARY] Free the unicode string buffers allocated by GetProcDllData().

Definition at line 282 of file NtFunc.cpp.

◆ EnumProcModules()

UINT EnumProcModules ( HANDLE  hProcess,
PFnEnumModuleAction  Action,
PVOID  Context 
)

[PRELIMINARY] EnumProcModules enumerates loaded modules in hProcess.

Context is anything your callback may need, or NULL if not needed.
Note: You need sufficient privileges to do this..

Definition at line 126 of file NtFunc.cpp.