The toolhelp functions can also return a list of modules (normally DLLs) used by the application. To obtain the snapshot, CreateToolhelp32Snapshot is passed the TH32CS_SNAPMODULE constant, and the second parameter contains the process identifier whose module list is to be returned. In Listing 5.5 the process identifier for the current process is returned from calling GetCurrentProcessId. The functions Module32First and Module32Next are used to enumerate the modules, and information about the modules is returned in a MODULEENTRY32 structure. Listing 5.5 Lists modules being used by a processvoid Listing5_5() { HANDLE hModuleSnap; MODULEENTRY32 me32; DWORD dwProcessID; dwProcessID = GetCurrentProcessId(); hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessID); if (hModuleSnap == (HANDLE)-1) { cout _T("Could not take Toolhelp snapshot") endl; return ; } me32.dwSize = sizeof(MODULEENTRY32); if (Module32First(hModuleSnap, &me32)) { do { cout me32.szModule _T(" Base addr: ") (DWORD)me32.modBaseAddr _T(" Size (KB): ") me32.modBaseSize / 1024 endl; } while (Module32Next(hModuleSnap, &me32)); } CloseToolhelp32Snapshot (hModuleSnap); return; } In Listing 5.5 the name of the module (szModule) is displayed together with the base address (modBaseAddr) at which the module is mapped, and the size of the address space (modBaseSize) used by the module. DLLs are loaded at the top of the process's 32-MB slot. The value returned in modBaseSize is the size of the virtual address space used by the module and is not the amount of RAM used by the module. For example, a DLL could be mapped from ROM with the code being executed in place.
The GlblcntUsage member contains the number of times this module has been loaded in all processes running on the device. The ProccntUsage value is the number of times the module has been loaded in the process being inspected. This can be larger than 1 since the application as well as other modules may reference the module in question. Windows CE does not return szExePath member in Windows NT/98/ 2000 this contains the fully qualified pathname of the module. The hModule member of MODULEENTRY32 can be passed to the GetModuleFileName function, and this returns a fully qualified filename. TCHAR szPathname[MAX_PATH]; GetModuleFileName(me32.hModule, szPathname, MAX_PATH); The function GetModuleFileName is passed the handle to the module, a pointer to a character buffer to receive the fully qualified filename, and the maximum number of characters that can be placed in the buffer.
|