I was dumping a pe file out of a process and was wondering how it had found the pe file in memory.
At first I thought that it was looking for the DOS string but the software states that it can find pe files which are not loaded according to the documentation so that is out of the question.
There are many ways to find loaded modules in memory if they are loaded in the normal way using the Windows OS Loader or LoadLibrary because the Process Environment Block or PEB contains a pointer to the PEB_LDR_DATA structure named 'Ldr' which contains a linked list of all loaded modules. This is the same list of loaded modules which the Windows OS uses when using the API ToolHelp32Snapshot.
If the the module is removed from this Ldr.InMemoryOrderList or perhaps loaded using a manual mapping routine, this won't be possible, in which case you could detect the module by scanning for the predictable PE header in memory.
If the PE Header is deleted and the module is not in the linked list, which is possible then this becomes more difficult. You would need to use some sort of heuristics to detect the somewhat predictable nature of a PE file such as a DLL.
For instance, you have the PE file for the process, so you know what imports & relocations are done You know what modules are loaded and where, so if you find memory pages outside of these locations which have page protections set to executable, then you can be pretty confident that these belong to hidden or at least unknown modules.
Here are 2 excellent repos which may shed some light on the topic Hollows Hunter & PE-Sieve