在 64 位机器上检查 32 位程序时，我能否获得 tasklist /m 的正确 DLL 模块列表？

Question

windows 上的命令 tasklist 具有非常有用的功能：它可以列出一个进程或所有进程的所有 dll 模块。下面的命令将列出 explorer.exe:

使用的所有 DLL 文件

tasklist /fi "ImageName eq explorer.exe" /m

看起来像这样（缩写，翻译成英文）：

Process name              PID      Modules
========================= ======== ============================================
explorer.exe                  1104 ntdll.dll, kernel32.dll, KERNELBASE.dll,
                                   ADVAPI32.dll, msvcrt.dll, sechost.dll,
                                   RPCRT4.dll, GDI32.dll, USER32.dll, LPK.dll,
                                   USP10.dll, SHLWAPI.dll, SHELL32.dll,
                                   ole32.dll, OLEAUT32.dll, EXPLORERFRAME.dll,
                                   DUser.dll, DUI70.dll, IMM32.dll, MSCTF.dll,

问题是这对 64 位进程不太适用：

C:\>tasklist /fi "ImageName eq firefox.exe" /m

Process name              PID      Modules
========================= ======== ============================================
firefox.exe                   4980 ntdll.dll, wow64.dll, wow64win.dll,
                                   wow64cpu.dll

你看到的不完整，看起来更像是这样的：

我的问题是：我能否将任务列表作为 32 位程序启动，或者以其他方式确保它 return 正确的值？我需要从另一个程序 (Java) 调用任务列表并获取已加载 DLL 文件的列表。我需要这个来确保我不会尝试加载 DLL 两次。

Answer 1

您可以使用ListDLLs from Windows Sysinternals

示例输出：

F:\>c:\apps\NirSoft\SysinternalsSuite\listdlls firefox

ListDLLs v3.1 - List loaded DLLs
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com

--------------------------------------------------------------------
firefox.exe pid: 2000
Command line: C:\apps\Firefox\firefox.exe

Base                Size      Path
0x00000000012c0000  0x5f000   C:\apps\Firefox\firefox.exe
0x0000000076d80000  0x1a9000  C:\Windows\SYSTEM32\ntdll.dll
0x00000000748a0000  0x3f000   C:\Windows\SYSTEM32\wow64.dll
0x0000000074840000  0x5c000   C:\Windows\SYSTEM32\wow64win.dll
0x0000000074830000  0x8000    C:\Windows\SYSTEM32\wow64cpu.dll
0x00000000012c0000  0x5f000   C:\apps\Firefox\firefox.exe
0x0000000076f60000  0x180000  C:\Windows\SysWOW64\ntdll.dll
0x000000006d100000  0x47000   C:\apps\Avast\snxhk.dll
0x0000000074960000  0x110000  C:\Windows\syswow64\KERNEL32.dll
0x00000000766d0000  0x47000   C:\Windows\syswow64\KERNELBASE.dll
0x00000000741d0000  0x62000   C:\Windows\SysWOW64\guard32.dll
0x0000000076880000  0x100000  C:\Windows\syswow64\USER32.dll
0x00000000753d0000  0x90000   C:\Windows\syswow64\GDI32.dll
0x0000000075110000  0xa000    C:\Windows\syswow64\LPK.dll
0x0000000074b00000  0x9d000   C:\Windows\syswow64\USP10.dll
0x00000000757c0000  0xac000   C:\Windows\syswow64\msvcrt.dll
0x0000000075720000  0xa0000   C:\Windows\syswow64\ADVAPI32.dll
0x00000000753b0000  0x19000   C:\Windows\SysWOW64\sechost.dll
0x0000000075490000  0xf0000   C:\Windows\syswow64\RPCRT4.dll
0x0000000074900000  0x60000   C:\Windows\syswow64\SspiCli.dll
0x00000000748f0000  0xc000    C:\Windows\syswow64\CRYPTBASE.dll
0x00000000746a0000  0x9000    C:\Windows\SysWOW64\VERSION.dll
0x0000000074c50000  0x5000    C:\Windows\syswow64\PSAPI.DLL
0x0000000074bb0000  0x60000   C:\Windows\SysWOW64\IMM32.DLL
0x0000000074d50000  0xcc000   C:\Windows\syswow64\MSCTF.dll
0x0000000074600000  0x7000    C:\Windows\SysWOW64\fltlib.dll
0x000000006d0c0000  0x1b000   C:\apps\Firefox\mozglue.dll
0x000000006d040000  0x71000   C:\apps\Firefox\MSVCP120.dll
0x0000000067c20000  0xee000   C:\apps\Firefox\MSVCR120.dll
0x0000000060700000  0x1a0000  C:\apps\Firefox\nss3.dll
...

---

来源ListDLLs v3.1

ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all processes, into a specific process, or to list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and can be used to scan processes for unsigned DLLs.

---

免责声明：我不以任何方式隶属于Windows Sysinternals，我只是该软件的最终用户。

Answer 2

EnumProcessModulesEx() function可用于枚举目标进程中的32位and/or64位模块。

Answer 3

您可以使用 PowerShell：

Get-Process winword| select -ExpandProperty modules|ft -Autosize

Get-process Winword (32bits) on 64bits OS

摘自：https://www.sysadmit.com/2019/07/windows-saber-dll-utiliza-programa.html