How can one obtain the "name" of a process start address as done in Process Explorer?

Question

Okay, I'm writing an application designed to enumerate threads in a given process, just as Process Explorer does. I'm well aware that this is potentially going to break between different windows versions, because it relies on "unofficial" APIs like NtQuerySystemInformation, and I'm perfectly fine with that.

I already have the code to obtain the base address of a given thread. I'd like to now turn that into something like what process explorer does, i.e. "ntdll.dll!EtwDeliverDataBlock+0x453". I don't actually need the function name or offset, just the module name.

How can I do this?

Answer 1

If all you need is the module name, the simplest way is to use EnumProcessModules to get a list of all the loaded the modules, then use GetModuleInformation on each of them. One of the things that GetModuleInformation returns is the base address where that module is loaded. Technically, the integer value of the HMODULE itself is the same as the base address, but that seems a little fragile to me...

Then it's simply a matter of finding the module with a base address just below the thread's current (or start) address.

Oh, and to get the actual name of the module, there's GetModuleBaseName.

Answer 2

You can use GetModuleHandleEx with the GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS flag to get a handle to a module given an address. You can then use GetModuleBaseName to get the name of the module.

Edit: You'll probably want to use the GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT flag as well, so you don't increase the reference count of the module.