Geoff Chappell - Software Analyst
REVISION IN PROGRESS - Take more than your usual care.
The RTL_PROCESS_MODULE_INFORMATION structure is a recurring element in the RTL_PROCESS_MODULES structure that a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces at the start of its output buffer when given the information class SystemModuleInformation (0x0B).
The RTL_PROCESS_MODULE_INFORMATION structure is not documented.
Microsoft does publish the practical equivalent of a C-language definition as type information in symbol files—not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for a handful of higher-level DLLs that might ordinarily be thought very distant from any involvement with the structure. Perhaps only by oversight, but starting as long ago as Windows 8, Microsoft’s downloadable packages of public symbols have included a smattering of private symbol files and these continue to be available through the public symbol server. Precisely which DLLs have the type information varies between versions. COMBASE.DLL is among the more reliable nowadays. Disclosure in symbol files for URLMON.DLL stopped for the 1803 release of Windows 10 but is specially notable because of this DLL’s origins in Internet Explorer and thence for the strong suggestion that Microsoft’s programmers of Internet Explorer had access to more details of low-level Windows programming than Microsoft publishes for wider use (including by the programmers of competing web browsers).
Type information for the structure has also seeped out at the other end of the Windows timeline, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The RTL_PROCESS_MODULE_INFORMATION is 0x011C or 0x0128 bytes in 32-bit and 64-bit Windows, respectively.
| Offset (x86) | Offset (x64) | Definition |
|---|---|---|
| 0x00 | 0x00 |
PVOID Section; |
| 0x04 | 0x08 |
PVOID MappedBase; |
| 0x08 | 0x10 |
PVOID ImageBase; |
| 0x0C | 0x18 |
ULONG ImageSize; |
| 0x10 | 0x1C |
ULONG Flags; |
| 0x14 | 0x20 |
USHORT LoadOrderIndex; |
| 0x16 | 0x22 |
USHORT InitOrderIndex; |
| 0x18 | 0x24 |
USHORT LoadCount; |
| 0x1A | 0x26 |
USHORT OffsetToFileName; |
| 0x1C | 0x28 |
CHAR FullPathName [0x0100]; |
The OffsetToFileName is the offset in bytes from the start of the FullPathName to just the filename part.