Geoff Chappell - Software Analyst
An array of RTL_MODULE_EXTENDED_INFO structures is produced in the output buffer by a successful call to the RtlQueryModuleInformation function when given this structure’s size to indicate what information is sought.
The RTL_MODULE_EXTENDED_INFO structure is not documented.
The RTL_MODULE_EXTENDED_INFO is 0x010C or 0x0110 bytes in 32-bit and 64-bit Windows, respectively, in all versions from 6.0 until at least the 2004 release of Windows 10.
| Offset (x86) | Offset (x64) | Definition |
|---|---|---|
| 0x00 | 0x00 |
RTL_MODULE_BASIC_INFO BasicInfo; |
| 0x04 | 0x08 |
ULONG ImageSize; |
| 0x08 | 0x0C |
USHORT FileNameOffset; |
| 0x0A | 0x0E |
CHAR FullPathName [0x0100]; |