其实弄清楚LDR_MODULE结构的详细定义这些疑问也就会迎刃而解了.
Code
1 typedef struct _LDR_MODULE {
2
3 LIST_ENTRY InLoadOrderModuleList;
4 LIST_ENTRY InMemoryOrderModuleList;
5 LIST_ENTRY InInitializationOrderModuleList;
6 PVOID BaseAddress;
7 PVOID EntryPoint;
8 ULONG SizeOfImage;
9 UNICODE_STRING FullDllName;
10 UNICODE_STRING BaseDllName;
11 ULONG Flags;
12 SHORT LoadCount;
13 SHORT TlsIndex;
14 LIST_ENTRY HashTableEntry;
15 ULONG TimeDateStamp;
16
17 } LDR_MODULE, *PLDR_MODULE;
18
1 typedef struct _LDR_MODULE {
2
3 LIST_ENTRY InLoadOrderModuleList;
4 LIST_ENTRY InMemoryOrderModuleList;
5 LIST_ENTRY InInitializationOrderModuleList;
6 PVOID BaseAddress;
7 PVOID EntryPoint;
8 ULONG SizeOfImage;
9 UNICODE_STRING FullDllName;
10 UNICODE_STRING BaseDllName;
11 ULONG Flags;
12 SHORT LoadCount;
13 SHORT TlsIndex;
14 LIST_ENTRY HashTableEntry;
15 ULONG TimeDateStamp;
16
17 } LDR_MODULE, *PLDR_MODULE;
18
其相关成员的描述如下:
InLoadOrderModuleList:
Pointers to previous and next LDR_MODULE in load order.
InMemoryOrderModuleList:
Pointers to previous and next LDR_MODULE in memory placement order.
InInitializationOrderModuleList:
Pointers to previous and next LDR_MODULE in initialization order.
BaseAddress:
Module Base address known also as HMODULE.
可以用以下图例来说明此结构:
由该图可知,三个链表结构被PEB_LDR_DATA和LDR_MODULE结构共用. 知道了这些,再看上文给出的获取kernel32.dll模块加载地址的代码就很明了了.