Skip to content

FS_Process_Modules

ufrisk edited this page Jan 19, 2023 · 13 revisions

The modules per-process directory

The directory modules exists as a sub-directory in each process directory.

The modules directory contains one sub-directory for each loaded module (.DLLs and EXEs). It also contains the following files:

File Description
modules.txt Overview of loaded modules.
modules-v.txt Verbose overview of loaded modules.
modules-versioninfo.txt Module version information.
unloaded_modules.txt Information about unloaded modules.

For kernel "processes" such as the System process in Windows (PID 4) the directory will contain loaded drivers (.SYS-files and .DLLs)

Each module directory contains a number of informational files and directories related to the loaded module. The files and directories and their contents are listed below:

File Description
base.txt Base virtual address of the module
directories.txt Information about the 16 data directories in the PE/MZ header
entry.txt Entry point virtual address of the module
export.txt Functions exported by the module
import.txt Functions imported by the module and their corresponding modules
pefile.dll Best-effort reconstructed module, .exe/.dll/.sys, file from memory fragments
sections.txt Sections of the module
size.txt Size of the module
directoriesd Directory containing a file for each of the 16 data directories
sectionsd Directory containing a file for each section

Files in the individual module directories are read-only. pefile.dll and files in the directoriesd and sectionsd sub-directories are writable if a write-capable memory acquisition device is used.

File: export.txt

The file export.txt contains information about exported functions. The meaning of the columns are as follows:

   # Ordinal Offset        Address Name                       ForwardedFunction
===============================================================================
0000  1000   39290 00007ff8892e9290 ---
0001  1001   2e380 00007ff8892de380 I_ScGetCurrentGroupStateW
0002  1002       0 0000000000000000 A_SHAFinal                NTDLL.A_SHAFinal
0003  1003       0 0000000000000000 A_SHAInit                 NTDLL.A_SHAInit
0004  1004       0 0000000000000000 A_SHAUpdate               NTDLL.A_SHAUpdate
0005  1005   43710 00007ff8892f3710 AbortSystemShutdownA
0006  1006   437b0 00007ff8892f37b0 AbortSystemShutdownW
...

File: sections.txt

The file sections.txt contains information about the module PE sections. The meaning of the columns are as follows:

#   name  memory_address   base_offset   size page file_offset   size
=====================================================================
00 .text  00007ff7959a1000 00001000  0002e338 r-x  00000400  0002e400
...
05 .rsrc  00007ff7959fb000 0005b000  000084f8 r--  0003b600  00008600
06 .reloc 00007ff795a04000 00064000  00000308 r--  00043c00  00000400

Example

The example below shows the files in the modules/ADVAPI.dll sub-directory of the connector_ctrl process. All files are related to the ADVAPI.dll module which is loaded into the connector_ctrl process.

Shown in Notepad are the sections of the .DLL. While Ubuntu shows the entry, size, exported functions and the three first imported functions.

For Developers

The modules sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file m_proc_ldrmodules.c in the vmm project.

Clone this wiki locally