Modules Used by a Process

< BACK NEXT >

[oR]

The toolhelp functions can also return a list of modules (normally DLLs) used by the application. To obtain the snapshot, CreateToolhelp32Snapshot is passed the TH32CS_SNAPMODULE constant, and the second parameter contains the process identifier whose module list is to be returned. In Listing 5.5 the process identifier for the current process is returned from calling GetCurrentProcessId. The functions Module32First and Module32Next are used to enumerate the modules, and information about the modules is returned in a MODULEENTRY32 structure.

Listing 5.5 Lists modules being used by a process

 void Listing5_5() {   HANDLE hModuleSnap;   MODULEENTRY32 me32;   DWORD dwProcessID;   dwProcessID = GetCurrentProcessId();   hModuleSnap =       CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,         dwProcessID);   if (hModuleSnap == (HANDLE)-1)   {       cout   _T("Could not take Toolhelp snapshot")              endl;       return ;   }   me32.dwSize = sizeof(MODULEENTRY32);   if (Module32First(hModuleSnap, &me32))   {     do     {       cout   me32.szModule              _T(" Base addr: ")              (DWORD)me32.modBaseAddr              _T(" Size (KB): ")              me32.modBaseSize / 1024 endl;     }    while (Module32Next(hModuleSnap, &me32));   }   CloseToolhelp32Snapshot (hModuleSnap);   return; }

In Listing 5.5 the name of the module (szModule) is displayed together with the base address (modBaseAddr) at which the module is mapped, and the size of the address space (modBaseSize) used by the module. DLLs are loaded at the top of the process's 32-MB slot. The value returned in modBaseSize is the size of the virtual address space used by the module and is not the amount of RAM used by the module. For example, a DLL could be mapped from ROM with the code being executed in place.

Table 5.5. MODULEENTRY32 members returned in Windows CE
Member	Purpose
`DWORD dwSize;`	Size of the structure in bytes. Set before passing to functions.
`DWORD th32ProcessID`	Process identified for the process being inspected.
`DWORD GlblcntUsage`	Number of times this module has been loaded in all applications running on the device.
`DWORD ProccntUsage`	Number of times this module has been loaded in the context of this process.
`BYTE *modBaseAddr`	Memory address where the module is loaded in the process's address space.
`DWORD modBaseSize`	Number of bytes of address space used in the mapping.
`HMODULE hModule;`	Handle to the module.
`TCHAR szModule [MAX_MODULE_NAME32 + 1]`	Name of the module, not qualified with a path name.

The GlblcntUsage member contains the number of times this module has been loaded in all processes running on the device. The ProccntUsage value is the number of times the module has been loaded in the process being inspected. This can be larger than 1 since the application as well as other modules may reference the module in question.

Windows CE does not return szExePath member in Windows NT/98/ 2000 this contains the fully qualified pathname of the module. The hModule member of MODULEENTRY32 can be passed to the GetModuleFileName function, and this returns a fully qualified filename.

 TCHAR szPathname[MAX_PATH]; GetModuleFileName(me32.hModule, szPathname, MAX_PATH);

The function GetModuleFileName is passed the handle to the module, a pointer to a character buffer to receive the fully qualified filename, and the maximum number of characters that can be placed in the buffer.

< BACK NEXT >

Listing 5.5 Lists modules being used by a process

Table 5.5. MODULEENTRY32 members returned in Windows CE