Process Hacker and Windows discussion

 
Chrome
New User
Posts: 1
Joined: 11 Jun 2020 20:31
OS: Windows 10

How does Process Hacker Work

11 Jun 2020 20:37

Hello,

Process Hacker is a very useful tool when exploring Windows Programs.

I have a quick question strictly from a curiosity standpoint. How does Process Hacker enumerate the .NET DLLs loaded by a process? For IIS specifically, I can check out the DLLs loaded by the w3wp.exe process which is the worker thread for IIS and I can see the .NET DLLs loaded. I am not able to reproduce this using the standard procedure of hooking into the process and enumerate the loaded modules. Just curiosity how thats accomplished for a specific project I'm working on.

Thanks for all the help! Cheers
 
User avatar
dmex
Admin
Posts: 1552
Joined: 17 Jan 2011 05:43
Location: Australia

Re: How does Process Hacker Work

15 Jun 2020 05:44

I am not able to reproduce this using the standard procedure of hooking into the process and enumerate the loaded modules.

Process Hacker doesn't use hooks at all and you won't reproduce the same behaviour by hooking the process. Win32 API hooks also won't work because .NET is hard-coded into the loader and it won't use win32 functions when mapping the images.

Just curiosity how thats accomplished for a specific project I'm working on.

1) EnumProcessModulesEx with the LIST_MODULES_ALL flag returns the exact same modules as Process Hacker.
2) Typecast "HMODULE lphModule" parameter to "PVOID Base"
3) Call ImageDirectoryEntryToData with PVOID Base and check IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR.VirtualAddress != 0

EnumProcessModulesEx returns the same exact same data but .NET detection requires checking the image directory VirtualAddress.