FS_Process_Modules
The directory modules exists as a sub-directory in each process directory.
The modules directory contains one sub-directory for each loaded module (.DLLs and EXEs). It also contains the following files:
| File | Description |
|---|---|
| modules.txt | Overview of loaded modules. |
| modules-v.txt | Verbose overview of loaded modules. |
| unloaded_modules.txt | Information about unloaded modules. |
For kernel "processes" such as the System process in Windows (PID 4) the directory will contain loaded drivers (.SYS-files and .DLLs)
Each module directory contains a number of informational files and directories related to the loaded module. The files and directories and their contents are listed below:
| File | Description |
|---|---|
| base.txt | Base virtual address of the module |
| directories.txt | Information about the 16 data directories in the PE/MZ header |
| entry.txt | Entry point virtual address of the module |
| export.txt | Functions exported by the module |
| import.txt | Functions imported by the module and their corresponding modules |
| pefile.dll | Best-effort reconstructed module, .exe/.dll/.sys, file from memory fragments |
| sections.txt | Sections of the module |
| size.txt | Size of the module |
| directoriesd | Directory containing a file for each of the 16 data directories |
| sectionsd | Directory containing a file for each section |
Files in the individual module directories are read-only. pefile.dll and files in the directoriesd and sectionsd sub-directories are writable if a write-capable memory acquisition device is used.
The file export.txt contains information about exported functions. The meaning of the columns are as follows:
# ordinal fn_offset function_address function_name
======================================================
0000 1000 37410 00007ffd77347410 ---
0001 1001 2c880 00007ffd7733c880 I_ScGetCurrentGroupStateW
0002 1002 91868 00007ffd773a1868 A_SHAFinal
0003 1003 91883 00007ffd773a1883 A_SHAInit
0004 1004 9189f 00007ffd773a189f A_SHAUpdate
0005 1005 41890 00007ffd77351890 AbortSystemShutdownA
The file sections.txt contains information about the module PE sections. The meaning of the columns are as follows:
# name memory_address base_offset size page file_offset size
=====================================================================
00 .text 00007ff7959a1000 00001000 0002e338 r-x 00000400 0002e400
...
05 .rsrc 00007ff7959fb000 0005b000 000084f8 r-- 0003b600 00008600
06 .reloc 00007ff795a04000 00064000 00000308 r-- 00043c00 00000400
The example below shows the files in the modules/Actioncenter.dll sub-directory of the explorer.exe process. All files are related to the Actioncenter.dll module which is loaded into the explorer.exe process.
Shown in Notepad++ are the sections of the .DLL. While Ubuntu shows the entry, size, exported functions and the three first imported functions.
The modules sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file m_proc_ldrmodules.c in the vmm project.