lm [m Name (string)] [pid ProcessId (hex)] [Filter (string)]
Description
Shows the loaded modules' base address, size, name, full path.
Parameters
[m Name (string)] (optional)
The name or a part of the name that will be searched through all the modules and only those which match will be shown. The search is case-insensitive.
[pid ProcessId (hex)] (optional)
The Process Id of the target process in which the user-mode modules are shown. The process id only makes sense in user-mode modules, and this parameter will be ignored for kernel-mode modules.
By default, when you didn't use the pid parameter, if you are attached to a process in the user-mode debugger, this command shows the user-mode modules of the debuggee process; otherwise, it shows the user-mode modules of the process of HyperDbg.
[Filter (string)] (optional)
Can be one of these values :
km: only shows the kernel-mode modules.
um: only shows the user-mode modules.
Examples
The following command shows all the user-mode and kernel-mode modules.
For getting the information about user-mode modules, you should use DeviceIoControl with IOCTL = IOCTL_GET_USER_MODE_MODULE_DETAILS, you have to send it in the following structure.
typedef struct _USERMODE_LOADED_MODULE_DETAILS
{
UINT32 ProcessId;
BOOLEAN OnlyCountModules;
UINT32 ModulesCount;
UINT32 Result;
//
// Here is a list of USERMODE_LOADED_MODULE_SYMBOLS (appended)
//
} USERMODE_LOADED_MODULE_DETAILS, *PUSERMODE_LOADED_MODULE_DETAILS;
First, you need to fill the ProcessId and set the OnlyCountModules to TRUE. After that send the IOCTL and if the Result field of the above structure was equal to DEBUGEER_OPERATION_WAS_SUCCESSFULL, then you can see the number of modules at the ModulesCount field.
After that, you need to send the above IOCTL one more time. First, you need to allocate a buffer with the size of ModulesCount * sizeof(USERMODE_LOADED_MODULE_SYMBOLS) + sizeof(USERMODE_LOADED_MODULE_DETAILS), fill the ProcessId and set the OnlyCountModules to FALSE.
When the above structure is returned, at the bottom of the USERMODE_LOADED_MODULE_DETAILS is filled with an array of USERMODE_LOADED_MODULE_SYMBOLS. This array contains information about the module's BaseAddress, Entrypoint, and the FilePath.
Getting modules information for the kernel-mode modules are done by calling NtQuerySystemInformation and does not gets the address from the kernel, so it doesn't have any IOCTL.
Remarks
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
