Skip to content
/ GetRemoteModuleListW Public

Retrieve a list of loaded modules of a remote process in Windows, using NtQueryInformationProcess via SysWhispers3

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sf0x/GetRemoteModuleListW

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
GetRemoteModuleListW
GetRemoteModuleListW
 
 
.gitignore
.gitignore
 
 
GetRemoteModuleListW.sln
GetRemoteModuleListW.sln
 
 
README.md
README.md
 
 

Repository files navigation

GetRemoteModuleListW

Retrieve a list of loaded modules of a remote process in Windows, using NtQueryInformationProcess via SysWhispers3

Index

[[TOC]] Haha, fuck Github

Overview

I was looking for a way to retrieve a list of loaded DLLs of a remote process without using Windows APIs. OpSec sometimes requires to perform this task with the least possible interaction with calls under surveillance.
In this current draft the function makes use of NtQueryInformationProcess to find the remote process PEB address. I'm quite sure there is a more stealth way to obtain this address, as soon as one has a handle, but I haven't digged into this matter yet - maybe I will come back to this later.
This repo uses direct syscalls with the SysWhispers3 technique to defy hooking of NtQueryInformationProcess. Some typedefs were added manually, like FULL_LDR_DATA_TABLE_ENTRY.

References

About

Retrieve a list of loaded modules of a remote process in Windows, using NtQueryInformationProcess via SysWhispers3

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages