If this function is called from a 32-bit application running on WOW64,it can only enumerate the modules of a 32-bit process. If the process is a 64-bit process,this function fails and the last error code is ERROR_PARTIAL_COPY (299).
所以对于EnumProcessModulesEx和CreateToolhelp32Snapshot.
你有什么想法如何实现吗?
谢谢.
具有LIST_MODULES_32BIT和LIST_MODULES_64BIT过滤器标志的EnumProcessModulesEx有这样的说法:
This function is intended primarily for 64-bit applications. If the function is called by a 32-bit application running under WOW64,the dwFilterFlag option is ignored and the function provides the same results as the EnumProcessModules function.
您可以通过将程序转换为64位,使用不合格的64位COM服务器(特别是使用DLL surrogate)或与您进行通信的单独进程来实现.或者,根据您的进程相对于目标进程何时启动,您可以使用WMI获取模块加载事件.参见Win32_ModuleLoadTrace事件.
Process Explorer,一个32位的exe,可以显示32位和64位进程的模块,但它真的是冒烟和镜像:32位exe包含64位版本的本身,写入磁盘和在64位机器上执行.
