lm (view loaded modules)
Description of the 'lm' command in HyperDbg.
Command
lm
Syntax
lm [m Name (string)] [pid ProcessId (hex)] [Filter (string)]
Description
Shows the loaded modules' base address, size, name, full path.
Parameters
[m Name (string)] (optional)
The name or a part of the name that will be searched through all the modules and only those which match will be shown. The search is case-insensitive.
[pid ProcessId (hex)] (optional)
The Process Id of the target process in which the user-mode modules are shown. The process id only makes sense in user-mode modules, and this parameter will be ignored for kernel-mode modules.
By default, when you didn't use the pid parameter, if you are attached to a process in the user-mode debugger, this command shows the user-mode modules of the debuggee process; otherwise, it shows the user-mode modules of the process of HyperDbg.
[Filter (string)] (optional)
Can be one of these values :
km: only shows the kernel-mode modules.
um: only shows the user-mode modules.
Examples
The following command shows all the user-mode and kernel-mode modules.
1
HyperDbg> lm
2
user mode
3
start entrypoint path
4
​
5
....
6
00007ffd885e0000 00007ffd885f5600 C:\Windows\System32\ADVAPI32.dll
7
00007ffd86fc0000 00007ffd86fc7850 C:\Windows\System32\msvcrt.dll
8
00007ffd87df0000 00007ffd87e0cd20 C:\Windows\System32\sechost.dll
9
00007ffd86e60000 00007ffd86ebdfb0 C:\Windows\System32\RPCRT4.dll
10
00007ffd88cb0000 00007ffd88cba7a0 C:\Windows\System32\SHLWAPI.dll
11
00007ffd886a0000 00007ffd886b4300 C:\Windows\System32\WS2_32.dll
12
...
13
​
14
==============================================================================
15
​
16
kernel mode
17
start size name path
18
​
19
fffff801`63000000 1046000 ntoskrnl.exe \SystemRoot\system32\ntoskrnl.exe
20
fffff801`5fa40000 6000 hal.dll \SystemRoot\system32\hal.dll
21
fffff801`5fab0000 49000 kdnet.dll \SystemRoot\system32\kdnet.dll
22
fffff801`5fa50000 5c000 kd_02_8086.dll \SystemRoot\system32\kd_02_8086.dll
23
...
Copied!
This command only shows the user-mode modules.
1
HyperDbg> lm um
2
user mode
3
start entrypoint path
4
​
5
...
6
00007ffd88d50000 0000000000000000 C:\Windows\SYSTEM32\ntdll.dll
7
00007ffd88860000 00007ffd888770d0 C:\Windows\System32\KERNEL32.DLL
8
00007ffd865f0000 00007ffd865f92c0 C:\Windows\System32\KERNELBASE.dll
9
00007ffd83d90000 00007ffd83da0880 C:\Windows\SYSTEM32\apphelp.dll
10
...
Copied!
The following command shows the user-mode modules of the process with process id equal to 1240 that contains "kernel" in their path.
1
HyperDbg> lm um m kernel pid 1240
2
user mode
3
start entrypoint path
4
​
5
00007ffd88860000 00007ffd888770d0 C:\Windows\System32\KERNEL32.DLL
6
00007ffd865f0000 00007ffd865f92c0 C:\Windows\System32\KERNELBASE.dll
7
​
Copied!
The following example shows the kernel-mode modules that contain "nt" in their path or name.
1
HyperDbg> lm km m nt
2
kernel mode
3
start size name path
4
​
5
fffff801`63000000 1046000 ntoskrnl.exe \SystemRoot\system32\ntoskrnl.exe
6
fffff801`5f7b0000 28f000 mcupdate_GenuineIntel.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll
7
fffff801`65330000 c000 ntosext.sys \SystemRoot\System32\drivers\ntosext.sys
8
fffff801`656a0000 1a000 SgrmAgent.sys \SystemRoot\system32\drivers\SgrmAgent.sys
9
fffff801`657c0000 6b000 intelpep.sys \SystemRoot\System32\drivers\intelpep.sys
10
fffff801`65850000 b000 IntelTA.sys \SystemRoot\System32\drivers\IntelTA.sys
11
fffff801`658a0000 b000 intelide.sys \SystemRoot\System32\drivers\intelide.sys
12
fffff801`65b80000 1e000 mountmgr.sys \SystemRoot\System32\drivers\mountmgr.sys
13
fffff801`65e10000 2d9000 Ntfs.sys \SystemRoot\System32\Drivers\Ntfs.sys
14
fffff801`66640000 7f000 fwpkclnt.sys \SystemRoot\System32\drivers\fwpkclnt.sys
15
fffff801`67c10000 b000 vmgencounter.sys \SystemRoot\System32\drivers\vmgencounter.sys
16
fffff801`67c50000 40000 intelppm.sys \SystemRoot\System32\drivers\intelppm.sys
17
​
Copied!
IOCTL
For getting the information about user-mode modules, you should use DeviceIoControl with
IOCTL = IOCTL_GET_USER_MODE_MODULE_DETAILS, you have to send it in the following structure.1
typedef struct _USERMODE_LOADED_MODULE_DETAILS
2
{
3
UINT32 ProcessId;
4
BOOLEAN OnlyCountModules;
5
UINT32 ModulesCount;
6
UINT32 Result;
7
​
8
//
9
// Here is a list of USERMODE_LOADED_MODULE_SYMBOLS (appended)
10
//
11
​
12
} USERMODE_LOADED_MODULE_DETAILS, *PUSERMODE_LOADED_MODULE_DETAILS;
Copied!
First, you need to fill the
ProcessId and set the OnlyCountModules to TRUE. After that send the IOCTL and if the Result field of the above structure was equal to DEBUGEER_OPERATION_WAS_SUCCESSFULL, then you can see the number of modules at the ModulesCount field.After that, you need to send the above IOCTL one more time. First, you need to allocate a buffer with the size of
ModulesCount * sizeof(USERMODE_LOADED_MODULE_SYMBOLS) + sizeof(USERMODE_LOADED_MODULE_DETAILS), fill the ProcessId and set the OnlyCountModules to FALSE.1
typedef struct _USERMODE_LOADED_MODULE_SYMBOLS
2
{
3
UINT64 BaseAddress;
4
UINT64 Entrypoint;
5
wchar_t FilePath[MAX_PATH];
6
​
7
} USERMODE_LOADED_MODULE_SYMBOLS, *PUSERMODE_LOADED_MODULE_SYMBOLS;
Copied!
When the above structure is returned, at the bottom of the
USERMODE_LOADED_MODULE_DETAILS is filled with an array of USERMODE_LOADED_MODULE_SYMBOLS. This array contains information about the module's BaseAddress, Entrypoint, and the FilePath. Getting modules information for the kernel-mode modules are done by calling NtQuerySystemInformation and does not gets the address from the kernel, so it doesn't have any IOCTL.
Remarks
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
Requirements
None
Related
None
Copy link
Edit on GitHub