From 9dd6ca1d6078a7db54420a489633cab9565fa58c Mon Sep 17 00:00:00 2001
From: Tamas K Lengyel <tamas@tklengyel.com>
Date: Tue, 19 Apr 2016 09:21:39 -0600
Subject: [PATCH] Don't return true in drakvuf_get_module_list if modulelist is
 0

---
 src/libdrakvuf/win-processes.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/libdrakvuf/win-processes.c b/src/libdrakvuf/win-processes.c
index 707db6b2b..bacffe876 100644
--- a/src/libdrakvuf/win-processes.c
+++ b/src/libdrakvuf/win-processes.c
@@ -278,22 +278,28 @@ bool drakvuf_is_eprocess( drakvuf_t drakvuf, addr_t dtb, addr_t eprocess_addr )
 bool drakvuf_get_module_list(drakvuf_t drakvuf, addr_t eprocess_base, addr_t *module_list) {
 
     vmi_instance_t vmi = drakvuf->vmi;
-    vmi_pid_t pid;
-    addr_t peb, ldr, modlist;
+    addr_t peb=0, ldr=0, modlist=0;
+
+    access_context_t ctx = {.translate_mechanism = VMI_TM_PROCESS_DTB};
 
     if(!eprocess_base)
         return false;
 
-    if(VMI_FAILURE == vmi_read_32_va(vmi, eprocess_base + offsets[EPROCESS_PID], 0, (uint32_t*)&pid))
+    if(VMI_FAILURE == vmi_read_addr_va(vmi, eprocess_base + offsets[EPROCESS_PDBASE], 0, &ctx.dtb))
         return false;
 
     if(VMI_FAILURE == vmi_read_addr_va(vmi, eprocess_base + offsets[EPROCESS_PEB], 0, &peb))
         return false;
 
-    if(VMI_FAILURE == vmi_read_addr_va(vmi, peb + offsets[PEB_LDR], pid, &ldr))
+    ctx.addr = peb + offsets[PEB_LDR];
+    if(VMI_FAILURE == vmi_read_addr(vmi, &ctx, &ldr))
+        return false;
+
+    ctx.addr = ldr + offsets[PEB_LDR_DATA_INLOADORDERMODULELIST];
+    if(VMI_FAILURE == vmi_read_addr(vmi, &ctx, &modlist))
         return false;
 
-    if(VMI_FAILURE == vmi_read_addr_va(vmi, ldr + offsets[PEB_LDR_DATA_INLOADORDERMODULELIST], pid, &modlist))
+    if(!modlist)
         return false;
 
     *module_list = modlist;