From aldeid
Jump to navigation Jump to search


Used to enumerate the loaded modules (executables and DLLs) for a given process. Malware enumerates through modules when doing injection.

To control whether a 64-bit application enumerates 32-bit modules, 64-bit modules, or both types of modules, use the EnumProcessModulesEx function.


BOOL WINAPI EnumProcessModules(
  _In_   HANDLE hProcess,
  _Out_  HMODULE *lphModule,
  _In_   DWORD cb,
  _Out_  LPDWORD lpcbNeeded


hProcess [in]
A handle to the process.
lphModule [out]
An array that receives the list of module handles.
cb [in]
The size of the lphModule array, in bytes.
lpcbNeeded [out]
The number of bytes required to store all module handles in the lphModule array.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.


  • Kernel32.dll on Windows 7 and Windows Server 2008 R2;
  • Psapi.dll (if PSAPI_VERSION=1) on Windows 7 and Windows Server 2008 R2;
  • Psapi.dll on Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP