Flag: Tornado!
Hurricane!
|
|
 Error: Authentication required to access requested resource.
Topic created on: by  .
There could be many issues at hand but:
You can manually walk the LDR_MODULE structs in the PED_LDR_DATA struct as depicted by the windows memory layout https://www.openrce.org/reference_library/files/reference/Windows%20Memory%20Layout,%20User-Kernel%20Address%20Spaces.pdf.
Any reason to expect that there is purposeful module hiding?...or could you have your tool configured wrong?
|
You can also run into problems viewing all loaded modules if you are debugging at the wrong level in terms of x86/x64 on a system where the OS is x64 and the application is x86.
When that happens windows loads the application under it's syswow emulation layer.
If you are debugging using x64 Windbg you will only see the stuff that is run at x64 level (syswow etc). If you run the x86 windbg, then windbg is also running "on top of" the syswow emulation layer but "under" your target program and you will see much more informative and expected output.
Effectively x86 Windbg thinks it's running at the normal OS level and syswow takes care of translating expected calls and structures so that it returns information as if the syswow layer was the OS. Your entire x86 Process, the modules loaded by the target x86 process, and x86 windbg will all be loaded "on top of" the syswow layer.
As a Side note....There are ways to get the x64 windbg to see the stuff on top of the emulation layer but I forget the commands etc.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 28,224 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}