There is a 32 bit process in a 64 bit system. Trying to get the list of DLLs through:

  1. PEB and Module32Next

C: \ Windows \ SYSTEM32 \ ntdll.dll
C: \ Windows \ SYSTEM32 \ kernel32.dll
C: \ Windows \ SYSTEM32 \ kernelbase.dll
C: \ Windows \ SYSTEM32 \ user32.dll
C: \ Windows \ SYSTEM32 \ gdi32.dll
C: \ Windows \ SYSTEM32 \ msvcr100.dll
C: \ Windows \ SYSTEM32 \ imm32.dll

  1. Process explorer

C: \ Windows \ SysWOW64 \ bcryptprimitives.dll
C: \ Windows \ SysWOW64 \ combase.dll C: \ Windows \ SysWOW64 \ cryptbase.dll
C: \ Windows \ SysWOW64 \ dwmapi.dll C: \ Windows \ SysWOW64 \ gdi32.dll
C: \ Windows \ SysWOW64 \ imm32.dll C: \ Windows \ SysWOW64 \ kernel.appcore.dll
C: \ Windows \ SysWOW64 \ kernel32.dll C: \ Windows \ SysWOW64 \ KernelBase.dll
C: \ Windows \ System32 \ locale.nls C: \ Windows \ SysWOW64 \ msctf.dll
C: \ Users \ 1 \ Desktop \ msvcr100.dll C: \ Windows \ SysWOW64 \ msvcrt.dll
C: \ Windows \ SysWOW64 \ ntdll.dll C: \ Windows \ System32 \ ntdll.dll
C: \ Windows \ SysWOW64 \ rpcrt4.dll C: \ Windows \ SysWOW64 \ sechost.dll
C: \ Windows \ SysWOW64 \ SHCore.dll
C: \ Windows \ Globalization \ Sorting \ SortDefault.nls
C: \ Windows \ SysWOW64 \ sspicli.dll C: \ Windows \ Fonts \ StaticCache.dat
C: \ Users \ 1 \ Desktop \ test.exe C: \ Windows \ SysWOW64 \ user32.dll
C: \ Windows \ SysWOW64 \ en-RU \ user32.dll.mui
C: \ Windows \ SysWOW64 \ uxtheme.dll C: \ Windows \ System32 \ wow64.dll
C: \ Windows \ System32 \ wow64cpu.dll C: \ Windows \ System32 \ wow64win.dll

Why in 1 case "C: \ Windows \ SYSTEM32 \", and not C: \ Windows \ SysWOW64.
It is requested because of the 32-bit (WOW64) process for itself.

HANDLE h; PEB p; PROCESS_BASIC_INFORMATION s; DWORD w=0; HMODULE hMsi; PLDR_MODULE curr; PLDR_MODULE b; DWORD adr; BYTE *bfv; long sz; DWORD r; HANDLE hf; MODULEENTRY32 pf; hMsi=LoadLibrary("ntdll.dll"); NtQueryInformationProcess=(NtQueryInformationProcessQ)GetProcAddress(hMsi,"NtQueryInformationProcess"); h=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId()); ZeroMemory(&pf,sizeof(pf)); pf.dwSize=sizeof(pf); Module32First(h,&pf); for(;;) { ZeroMemory(&pf,sizeof(pf)); pf.dwSize=sizeof(pf); w=Module32Next(h,&pf); printf("%s \n",pf.szExePath); if( w==0 ) break; } MessageBox(0,0,0,1); ZeroMemory(&s,sizeof(s)); h=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,0,GetCurrentProcessId()); if( h>0 ) { if( NtQueryInformationProcess(h,ProcessBasicInformation,&s,sizeof(s),&w)==0 ) { // if( GetProcAddress(LoadLibrary("kernel32.dll"),"IsWow64Process")==0 ) // { ZeroMemory(&p,sizeof(p)); ReadProcessMemory(h,s.PebBaseAddress,&p,sizeof(p),&w); if( w>0 ) { curr=(PLDR_MODULE)p.Ldr->InMemoryOrderModuleList.Flink; curr=(PLDR_MODULE)((DWORD)curr-sizeof(LIST_ENTRY)); b=(PLDR_MODULE)&p.Ldr->InMemoryOrderModuleList; b=(PLDR_MODULE)((DWORD)b-sizeof(LIST_ENTRY)); while(curr!=b) { printf("%p \n",curr); wprintf(L"%s \n",curr->FullDllName.Buffer); printf(" \n"); curr=(PLDR_MODULE)curr->InMemoryOrderModuleList.Flink; curr=(PLDR_MODULE)((DWORD)curr-sizeof(LIST_ENTRY)); } } } } }

    1 answer 1

    Why in 1 case "C: \ Windows \ SYSTEM32 \", and not C: \ Windows \ SysWOW64. It is requested because of the 32-bit (WOW64) process for itself.

    Precisely because it is requested from a 32-bit process. Wow64 uses registry and file system redirection so that all 32-bit applications run normally on 64-bit systems if system paths are suddenly hard-coded. If you want to get real file paths on a 64-bit system, you must either use a 64-bit application or look for virtualization workarounds (if they exist at all).