lm (view loaded modules)

Description of the 'lm' command in HyperDbg.

Command

lm

Syntax

lm [m Name (string)] [pid ProcessId (hex)] [Filter (string)]

Description

Shows the loaded modules' base address, size, name, full path.

Parameters

[m Name (string)] (optional)

The name or a part of the name that will be searched through all the modules and only those which match will be shown. The search is case-insensitive.

[pid ProcessId (hex)] (optional)

The Process Id of the target process in which the user-mode modules are shown. The process id only makes sense in user-mode modules, and this parameter will be ignored for kernel-mode modules.

By default, when you didn't use the pid parameter, if you are attached to a process in the user-mode debugger, this command shows the user-mode modules of the debuggee process; otherwise, it shows the user-mode modules of the process of HyperDbg.

[Filter (string)] (optional)

Can be one of these values :

km: only shows the kernel-mode modules.

um: only shows the user-mode modules.

Examples

The following command shows all the user-mode and kernel-mode modules.

HyperDbg> lm
user mode
start                   entrypoint              path

....
00007ffd885e0000        00007ffd885f5600        C:\Windows\System32\ADVAPI32.dll
00007ffd86fc0000        00007ffd86fc7850        C:\Windows\System32\msvcrt.dll
00007ffd87df0000        00007ffd87e0cd20        C:\Windows\System32\sechost.dll
00007ffd86e60000        00007ffd86ebdfb0        C:\Windows\System32\RPCRT4.dll
00007ffd88cb0000        00007ffd88cba7a0        C:\Windows\System32\SHLWAPI.dll
00007ffd886a0000        00007ffd886b4300        C:\Windows\System32\WS2_32.dll
...

==============================================================================

kernel mode
start                   size    name                            path

fffff801`63000000       1046000 ntoskrnl.exe                    \SystemRoot\system32\ntoskrnl.exe
fffff801`5fa40000       6000    hal.dll                         \SystemRoot\system32\hal.dll
fffff801`5fab0000       49000   kdnet.dll                       \SystemRoot\system32\kdnet.dll
fffff801`5fa50000       5c000   kd_02_8086.dll                  \SystemRoot\system32\kd_02_8086.dll
...

This command only shows the user-mode modules.

HyperDbg> lm um
user mode
start                   entrypoint              path

...
00007ffd88d50000        0000000000000000        C:\Windows\SYSTEM32\ntdll.dll
00007ffd88860000        00007ffd888770d0        C:\Windows\System32\KERNEL32.DLL
00007ffd865f0000        00007ffd865f92c0        C:\Windows\System32\KERNELBASE.dll
00007ffd83d90000        00007ffd83da0880        C:\Windows\SYSTEM32\apphelp.dll
...

The following command shows the user-mode modules of the process with process id equal to 1240 that contains "kernel" in their path.

HyperDbg> lm um m kernel pid 1240
user mode
start                   entrypoint              path

00007ffd88860000        00007ffd888770d0        C:\Windows\System32\KERNEL32.DLL
00007ffd865f0000        00007ffd865f92c0        C:\Windows\System32\KERNELBASE.dll

The following example shows the kernel-mode modules that contain "nt" in their path or name.

HyperDbg> lm km m nt
kernel mode
start                   size    name                            path

fffff801`63000000       1046000 ntoskrnl.exe                    \SystemRoot\system32\ntoskrnl.exe
fffff801`5f7b0000       28f000  mcupdate_GenuineIntel.dll       \SystemRoot\system32\mcupdate_GenuineIntel.dll
fffff801`65330000       c000    ntosext.sys                     \SystemRoot\System32\drivers\ntosext.sys
fffff801`656a0000       1a000   SgrmAgent.sys                   \SystemRoot\system32\drivers\SgrmAgent.sys
fffff801`657c0000       6b000   intelpep.sys                    \SystemRoot\System32\drivers\intelpep.sys
fffff801`65850000       b000    IntelTA.sys                     \SystemRoot\System32\drivers\IntelTA.sys
fffff801`658a0000       b000    intelide.sys                    \SystemRoot\System32\drivers\intelide.sys
fffff801`65b80000       1e000   mountmgr.sys                    \SystemRoot\System32\drivers\mountmgr.sys
fffff801`65e10000       2d9000  Ntfs.sys                        \SystemRoot\System32\Drivers\Ntfs.sys
fffff801`66640000       7f000   fwpkclnt.sys                    \SystemRoot\System32\drivers\fwpkclnt.sys
fffff801`67c10000       b000    vmgencounter.sys                \SystemRoot\System32\drivers\vmgencounter.sys
fffff801`67c50000       40000   intelppm.sys                    \SystemRoot\System32\drivers\intelppm.sys

IOCTL

For getting the information about user-mode modules, you should use DeviceIoControl with IOCTL = IOCTL_GET_USER_MODE_MODULE_DETAILS, you have to send it in the following structure.

typedef struct _USERMODE_LOADED_MODULE_DETAILS
{
    UINT32  ProcessId;
    BOOLEAN OnlyCountModules;
    UINT32  ModulesCount;
    UINT32  Result;

    //
    // Here is a list of USERMODE_LOADED_MODULE_SYMBOLS (appended)
    //

} USERMODE_LOADED_MODULE_DETAILS, *PUSERMODE_LOADED_MODULE_DETAILS;

First, you need to fill the ProcessId and set the OnlyCountModules to TRUE. After that send the IOCTL and if the Result field of the above structure was equal to DEBUGEER_OPERATION_WAS_SUCCESSFULL, then you can see the number of modules at the ModulesCount field.

After that, you need to send the above IOCTL one more time. First, you need to allocate a buffer with the size of ModulesCount * sizeof(USERMODE_LOADED_MODULE_SYMBOLS) + sizeof(USERMODE_LOADED_MODULE_DETAILS), fill the ProcessId and set the OnlyCountModules to FALSE.

typedef struct _USERMODE_LOADED_MODULE_SYMBOLS
{
    UINT64  BaseAddress;
    UINT64  Entrypoint;
    wchar_t FilePath[MAX_PATH];

} USERMODE_LOADED_MODULE_SYMBOLS, *PUSERMODE_LOADED_MODULE_SYMBOLS;

When the above structure is returned, at the bottom of the USERMODE_LOADED_MODULE_DETAILS is filled with an array of USERMODE_LOADED_MODULE_SYMBOLS. This array contains information about the module's BaseAddress, Entrypoint, and the FilePath.

Getting modules information for the kernel-mode modules are done by calling NtQuerySystemInformation and does not gets the address from the kernel, so it doesn't have any IOCTL.

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None

Previousprint (evaluate and print expression in debuggee)Nextcpu (check cpu supported technologies)

Last updated 3 years ago