Menu
I'm attempting to get the module name for each thread in a process. Process explorer shows the name of the module associated with each thread no problem. I can enumerate all modules and all threads in my current process with no problems, and get data related to them. My current method of deducing the associated module is the following:
if(module.BaseAddress < thread.StartAddress && (module.BaseAddress + module.BaseMemorySize) > thread.StartAddress)
{
// this is our module ;)
}
Unfortunately, that doesn't seem to be a concrete way of doing it. The xfire_toucan.dll module shows in procexp fine:
1972 : xfire_toucan.dll!ToucanSendGamestatsConsoleLine_V1+0x80
In the list of modules, it shows with a base addr of 0x10000000 and a size of 0x26b000, giving us a max memory addr of 0x1026b000. However, the associated thread start address is 0x775e2ca0, which is part of an allocated block of memory in the process outside the module's main memory range.
Any idea how to get the module like ProcExp does?
I know C and C#, so either is fine, but my project is C# so that's preferred :]
607
Process explorer isn't showing you the module associated with each thread. Windows does not maintain this information. It's showing you the symbol name for the thread's entry point. This will usually (but not always) be a function in the module that started the thread. If you want to retrieve this sort of information in your program, you can use the debug help API. They're probably using the StackWalk64 function to retrieve the entry point name.
115
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
