"""list_image_modules.py Enumerate all MEM_IMAGE allocation bases. For each, read the PE export table to grab the module name. List with sizes.""" import ctypes, ctypes.wintypes as wt, sys, struct PROCESS_VM_READ = 0x10 PROCESS_QUERY_INFORMATION = 0x400 k = ctypes.windll.kernel32 k.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]; k.OpenProcess.restype = wt.HANDLE k.ReadProcessMemory.argtypes = [wt.HANDLE, wt.LPCVOID, wt.LPVOID, ctypes.c_size_t, ctypes.POINTER(ctypes.c_size_t)] k.ReadProcessMemory.restype = wt.BOOL k.VirtualQueryEx.argtypes = [wt.HANDLE, wt.LPCVOID, ctypes.c_void_p, ctypes.c_size_t] k.VirtualQueryEx.restype = ctypes.c_size_t class MBI(ctypes.Structure): _fields_ = [("BaseAddress", ctypes.c_void_p), ("AllocationBase", ctypes.c_void_p), ("AllocationProtect", wt.DWORD), ("RegionSize", ctypes.c_size_t), ("State", wt.DWORD), ("Protect", wt.DWORD), ("Type", wt.DWORD)] def rd(h, va, n): buf = (ctypes.c_ubyte * n)(); sz = ctypes.c_size_t(0) if not k.ReadProcessMemory(h, va, buf, n, ctypes.byref(sz)): return None return bytes(buf[:sz.value]) def get_module_name(h, base): """Read PE export name from the module.""" hdr = rd(h, base + 0x3C, 4) if not hdr or len(hdr) != 4: return None pe_off = struct.unpack(' 0x1000: return None # Read optional header, find export directory opt_off = base + pe_off + 4 + 20 # Export RVA at opt_off + 96 (for PE32) expdir_b = rd(h, opt_off + 96, 8) if not expdir_b: return None exp_rva, exp_size = struct.unpack('= 0x80000000: break k.CloseHandle(h) print(f"{len(seen)} image bases found:") print(f" {'base':>10} {'size':>9} name") for ab in sorted(seen): name, sz = seen[ab] print(f" 0x{ab:08x} {sz:>9} {name}")