RTL_PROCESS_MODULE_INFORMATION_EX

An array of RTL_PROCESS_MODULE_INFORMATION_EX structures is produced in the output buffer by a successful call to ZwQuerySystemInformation or NtQuerySystemInformation when given the information class SystemModuleInformationEx (0x4D).

Documentation Status

The RTL_PROCESS_MODULE_INFORMATION_EX structure is not documented.

Microsoft does publish the practical equivalent of a C-language definition as type information in symbol files—not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for a handful of higher-level DLLs that might ordinarily be thought very distant from any involvement with the structure. Perhaps only by oversight, but starting as long ago as Windows 8, Microsoft’s downloadable packages of public symbols have included a smattering of private symbol files and these continue to be available through the public symbol server. Precisely which DLLs have the type information varies between versions. COMBASE.DLL is among the more reliable nowadays. Disclosure in symbol files for URLMON.DLL stopped for the 1803 release of Windows 10 but is specially notable because of this DLL’s origins in Internet Explorer and thence for the strong suggestion that Microsoft’s programmers of Internet Explorer had access to more details of low-level Windows programming than Microsoft publishes for wider use (including by the programmers of competing web browsers).

Layout

The RTL_PROCESS_MODULE_INFORMATION_EX is 0x012C or 0x0140 bytes in 32-bit and 64-bit Windows, respectively.

USHORT NextOffset;

RTL_PROCESS_MODULE_INFORMATION BaseInfo;

ULONG ImageChecksum;

ULONG TimeDateStamp;

PVOID DefaultBase;