2

I'm trying to get the name of a module loaded in another process with GetModuleFileNameA.
I've loaded a symbol using dbgHelp and got its module base address but 2 weird thing happen:
1. Sometimes GetModuleFileNameA returns system error codes 5: Access denied.
2. It returns the wrong module name. for a function I know to be in module A, I get the name of module B... :/

Can somebody help me?
thanks:)

Idov
  • 5,006
  • 17
  • 69
  • 106
  • 1
    Why in the world are you still using the ANSI version of that function? – Cody Gray - on strike Apr 16 '11 at 07:01
  • 2
    Haha, the `A` at the end of the function name indicates it's the ANSI version of the function. The Windows operating system moved to using Unicode internally quite a while back. The Unicode versions of the functions have a `W` after their name, instead of an `A`. But if you're including the windows headers (`windows.h`), all you have to do is use the name of the function (`GetModuleFileName`), and the headers take care of defining that to the correct variant. The only reason you should compile without `_UNICODE` defined is if you're still targeting *really* old versions of Windows. – Cody Gray - on strike Apr 16 '11 at 07:05
  • 1
    Not at all. We're talking like Windows 95 or 98. Windows XP is fully Unicode, all versions of Windows NT are. Like I said, the simplest thing is to forget about prefixes and let the header files define the right version for you automatically. Almost *all* code written today will be Unicode. – Cody Gray - on strike Apr 16 '11 at 07:09

2 Answers2

3

Please read the docs. Right on the page for GetModuleFileName it says

To locate the file for a module that was loaded by another process, use the GetModuleFileNameEx function.

GetModuleFileName only makes sense for modules in your process. Even if both processes have loaded the module, it may be at a different base address. You're effectively feeding GetModuleFileName garbage. Just to reiterate, you need to use GetModuleFileNameEx

Logan Capaldo
  • 39,555
  • 5
  • 63
  • 78
  • ok, I tried it, but it returns a "INVALID HANDLE" error. I create the process with "DEBUG_PROCESS" but I'm sure the handle is good. I don't know if I can use the "PROCESS_QUERY_INFORMATION" and "PROCESS_VM_READ" with DEBUG_PROCESS, I tried it and the program crashed.. – Idov Apr 16 '11 at 09:07
  • hmm... I catch the module's base address in LOAD_DLL_DEBUG_EVENT, maybe it's too early. – Idov Apr 16 '11 at 09:55
0

If your process wants to access another process, it needs to have the rights to do so. That means your process needs elevated rights, or it must be the owner of the other process.

If you get the wrong name, you may have used the wrong handle. That might also explain why you get Access Denied sometimes. If you pass the handle to the wrong module, you may not have access to that, even if you do have access to the module you want to know the name of.

GolezTrol
  • 114,394
  • 18
  • 182
  • 210
  • But some of the modules names are fine, can it still be a permissions issue? and I get the module base address from "SymGetModuleBase", how can it be wrong? – Idov Apr 16 '11 at 07:18
  • I've just compared the module base address with what "Process Hacker" puts out and it's fine... – Idov Apr 16 '11 at 08:07