I've been researching this for several days and could use some advice...

...I have a small program written with MASM32 (v8) that uses TerminateProcess to shut down other processes. I am trying to be proper and find a way to inform the DLLs that it was attached to... and then find a way to make the target process call FreeLibrary on each of those modules... but this appears to be somewhat non-trivial.

I am thinking I could set the context of the main thread to call FreeLibrary, but probably have to find out what address it sits at in the target process's memory space. Or as a last resort, maybe I could do that subclassing / hooking / DLL injection sort of thing.

I found articles in the Visual Studio 6 MSDN by Matt Pietrek that show how to find the DLLs used by a program by inspecting its portable executable file. But I need to find out by inspecting the running process.

There appears to be a function called EnumProcessModules, which retrieves a handle for each module in the specified process. There also appears to be a function called GetModuleFileNameEx, which retrieves the fully qualified path for the specified module.

What I don't fully comprehend yet is the definition of 'module' as it is being used here. I have to confess to being a semi-newbie here... I learned assembly on the Apple II, and then again on a VAX back in college... but this is my 2nd week plunging into the Win32 asm world.

Can anybody tell me if I'm on the right track? If I enumerate all the modules, and then get each distinct module filename, have I then got all the distinct DLLs that the process is using?

Thanks a bunch in advance,
-Z
Posted on 2003-03-22 00:29:21 by Zeitnot
A module handle (also called an instance handle) is the starting address in memory where the dll or exe file is loaded into memory. To see this yourself open up a dll or exe file in a hex editor and you will see the first two bytes are the characters 'MZ'. If you dump the memory of a process at the address specified by a module handle you will also see the 'MZ' characters there.

The answer to your EnumProcessModules/GetModuleFilenameEx question is yes you will have a list of each dll mapped into the address space of the process.

Note that those two functions are only supported on Windows NT systems. If you want your program to be compatible with 9X/ME you will have to look into the toolhelp functions. Also note that the toolhelp api is supported on 2000/XP. So the only benefit to using those psapi.dll functions is support on Windows NT 4.0.

As far as shutting down processes the 'proper' way, you should send a WM_CLOSE message to the process's window procedure and let the program shut itself down. If the program is not responding then it is acceptable to use the TerminateProcess api to terminate it. AFAIK this is how Windows Task Manager shuts down processes if they are not responding.

Your reasoning for getting all the modules used by a process in order to somehow force it to call freelibrary on each of the module handles is a little overkill and it will take a lot of complex code to accomplish. An easier solution is to force the process to call ExitProcess(easiest way is the WM_CLOSE message) since that function does essentially what you are wanting to do. But, take note that TerminateProcess still frees the memory occupied by the dll even though it doesn't call the DllMain functions.
Posted on 2003-03-22 22:26:55 by BubbaFate