//thanks for powerful windbg~
BOOL FindModule(HANDLE hProcess, HMODULE hModule, PLDR_DATA_TABLE_ENTRY pLdrData)
{
DWORD i;
PLIST_ENTRY pListEntry;
PPEB_LDR_DATA pPebLdr;
PROCESS_BASIC_INFORMATION pbi;
NTSTATUS Status;
Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL);
if(!NT_SUCCESS(Status)) {
SetLastError(RtlNtStatusToDosError(Status));
return FALSE;
}
if(hModule == NULL) {
if(!ReadProcessMemory(hProcess, &(pbi.PebBaseAddress->ImageBaseAddress), &hModule, sizeof(hModule), NULL))
return FALSE;
}
if(!ReadProcessMemory(hProcess, &(pbi.PebBaseAddress->Ldr), &pPebLdr, sizeof(pPebLdr), NULL))
return 0;
if(pPebLdr) {
if(!ReadProcessMemory(hProcess, &(pPebLdr->InMemoryOrderModuleList), &pListEntry, sizeof(pListEntry), NULL))
return FALSE;
i = 0;
while(pListEntry != &(pPebLdr->InMemoryOrderModuleList)) {
if(!ReadProcessMemory(hProcess, (PBYTE)pListEntry - sizeof(LIST_ENTRY), pLdrData, sizeof(LDR_DATA_TABLE_ENTRY), NULL))
return FALSE;
if(pLdrData->DllBase == hModule)
return TRUE;
pListEntry = pLdrData->InMemoryOrderLinks.Flink;
if(++i <= 10000)
continue;
}
}
SetLastError(ERROR_INVALID_HANDLE);
return FALSE;
}
//alias K32GetModuleFileNameExW on windows 7
DWORD GetModuleFileNameExW(HANDLE hProcess, HMODULE hModule, LPWSTR lpFileName, DWORD nSize)
{
DWORD dwLength;
LDR_DATA_TABLE_ENTRY LdrData;
if(!FindModule(hProcess, hModule, &LdrData))
return 0;
nSize += nSize;
dwLength = nSize;
if(LdrData.FullDllName.Length + sizeof(WCHAR) < nSize)
nSize = LdrData.FullDllName.Length + sizeof(WCHAR);
if(!ReadProcessMemory(hProcess, LdrData.FullDllName.Buffer, lpFileName, nSize, NULL))
return 0;
if(nSize == LdrData.FullDllName.Length + sizeof(WCHAR))
nSize -= sizeof(WCHAR);
if(nSize < dwLength)
lpFileName[nSize >> 1] = L'\0';
else if(dwLength > 0)
lpFileName[(dwLength >> 1) - 1] = L'\0';
return (nSize >> 1);
}