I have a module in PyKD:
>>> print module("rundll32")
Module: rundll32
Start: 7f0000 End: 7fe000 Size: e000
Image: C:\Windows\SysWOW64\rundll32.exe
Symbols: e:\debug\symbols\rundll32.pdb\EFAE0C870C2846EDB63B9A7274CD50422\rundll32.pdb
Timestamp: 4a5bc637
Check Sum: 11cf2
With that information given, how can I find out more about the module, similar to the lm vm <module>
command of WinDbg?
start end module name
007f0000 007fe000 rundll32 (deferred)
Image path: C:\Windows\SysWOW64\rundll32.exe
Image name: rundll32.exe
Timestamp: Tue Jul 14 01:41:43 2009 (4A5BC637)
CheckSum: 00011CF2
ImageSize: 0000E000
File version: 6.1.7600.16385
Product version: 6.1.7600.16385
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: rundll
OriginalFilename: RUNDLL32.EXE
ProductVersion: 6.1.7600.16385
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileDescription: Windows host process (Rundll32)
LegalCopyright: © Microsoft Corporation. All rights reserved.
Especially, I'd like to get the "OriginalFilename".
Most of that information is stored in the module's version resource information. You can access the version resource with the queryVersion()
method. It takes a string parameter to specify the resource, e.g.
>>> m = module("rundll32")
>>> m.queryVersion("LegalCopyright")
'\xa9 Microsoft Corporation. All rights reserved.'
Note how the parameter needn't be a version number, so the method name queryVersion()
is a bit misleading.
Parameters:
CompanyName
InternalName
ProductName
OriginalFilename
ProductVersion
FileVersion
FileDescription
LegalCopyright
Other information present in lm vm
:
hex(m.begin())
hex(m.end())
m.name()
m.getFixedFileInfo().FileFlags
hex(m.checksum())
hex(m.timestamp())
hex(m.getFixedFileInfo().FileOS)
hex(m.getFixedFileInfo().FileType)
"%08X.%08X" % (m.getFixedFileInfo().FileDateLS , m.getFixedFileInfo().FileDateMS)