Merge pull request #120 from tklengyel/modlist

Don't return true in drakvuf_get_module_list if modulelist is 0

src/libdrakvuf/win-processes.c

@@ -278,22 +278,28 @@ bool drakvuf_is_eprocess( drakvuf_t drakvuf, addr_t dtb, addr_t eprocess_addr )
 bool drakvuf_get_module_list(drakvuf_t drakvuf, addr_t eprocess_base, addr_t *module_list) {
 
     vmi_instance_t vmi = drakvuf->vmi;
-    vmi_pid_t pid;
-    addr_t peb, ldr, modlist;
+    addr_t peb=0, ldr=0, modlist=0;
+
+    access_context_t ctx = {.translate_mechanism = VMI_TM_PROCESS_DTB};
 
     if(!eprocess_base)
         return false;
 
-    if(VMI_FAILURE == vmi_read_32_va(vmi, eprocess_base + offsets[EPROCESS_PID], 0, (uint32_t*)&pid))
+    if(VMI_FAILURE == vmi_read_addr_va(vmi, eprocess_base + offsets[EPROCESS_PDBASE], 0, &ctx.dtb))
         return false;
 
     if(VMI_FAILURE == vmi_read_addr_va(vmi, eprocess_base + offsets[EPROCESS_PEB], 0, &peb))
         return false;
 
-    if(VMI_FAILURE == vmi_read_addr_va(vmi, peb + offsets[PEB_LDR], pid, &ldr))
+    ctx.addr = peb + offsets[PEB_LDR];
+    if(VMI_FAILURE == vmi_read_addr(vmi, &ctx, &ldr))
+        return false;
+
+    ctx.addr = ldr + offsets[PEB_LDR_DATA_INLOADORDERMODULELIST];
+    if(VMI_FAILURE == vmi_read_addr(vmi, &ctx, &modlist))
         return false;
 
-    if(VMI_FAILURE == vmi_read_addr_va(vmi, ldr + offsets[PEB_LDR_DATA_INLOADORDERMODULELIST], pid, &modlist))
+    if(!modlist)
         return false;
 
     *module_list = modlist;