如何在使用PowerShell的64位系统上运行的32位进程中查看dll?

时间:2018-01-26 23:39:17

标签: .net powershell

当您使用PowerShell的Get-Process查看进程时,您可以看到所有dll都已加载到内存中。当我为在64位系统上运行的32位进程执行此操作时,我只能看到运行32位进程所需的64位dll,而不是此进程正在使用的实际dll。

例如:

在我的Windows 10计算机上,我看到以下带有命令行的输出和用于Java的32位更新调度程序的PowerShell:

"jusched.exe","10288","ntdll.dll,wow64.dll,wow64win.dll,wow64cpu.dll"

但是,当我运行SysInternals Listdlls.exe时,我看到了更长的列表:

jusched.exe pid: 10288
Command line: "C:\Program Files (x86)\Common Files\Java\Java 
Update\jusched.exe"

Base                Size      Path
0x0000000000ff0000  0x92000   C:\Program Files (x86)\Common Files\Java\Java 
Update\jusched.exe
0x0000000098e10000  0x1e0000  C:\WINDOWS\SYSTEM32\ntdll.dll
0x0000000051b20000  0x51000   C:\WINDOWS\System32\wow64.dll
0x0000000051b90000  0x76000   C:\WINDOWS\System32\wow64win.dll
0x0000000051b80000  0xa000    C:\WINDOWS\System32\wow64cpu.dll
0x0000000000ff0000  0x92000   C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
0x00000000776c0000  0x18d000  C:\WINDOWS\SysWOW64\ntdll.dll
0x0000000075830000  0xd0000   C:\WINDOWS\SysWOW64\KERNEL32.DLL
0x0000000076d10000  0x1d7000  C:\WINDOWS\SysWOW64\KERNELBASE.dll
0x0000000074170000  0xf7000   C:\WINDOWS\SysWOW64\ole32.dll
0x0000000076980000  0x246000  C:\WINDOWS\SysWOW64\combase.dll
0x00000000770a0000  0x117000  C:\WINDOWS\SysWOW64\ucrtbase.dll
0x0000000076fe0000  0xbe000   C:\WINDOWS\SysWOW64\RPCRT4.dll
0x00000000740e0000  0x20000   C:\WINDOWS\SysWOW64\SspiCli.dll
0x00000000740d0000  0xa000    C:\WINDOWS\SysWOW64\CRYPTBASE.dll
0x00000000757d0000  0x57000   C:\WINDOWS\SysWOW64\bcryptPrimitives.dll
0x0000000075e80000  0x43000   C:\WINDOWS\SysWOW64\sechost.dll
0x0000000074110000  0x22000   C:\WINDOWS\SysWOW64\GDI32.dll
0x0000000075d00000  0x15e000  C:\WINDOWS\SysWOW64\gdi32full.dll
0x0000000076f40000  0x7c000   C:\WINDOWS\SysWOW64\msvcp_win.dll
0x0000000076030000  0x175000  C:\WINDOWS\SysWOW64\USER32.dll
0x0000000075e60000  0x16000   C:\WINDOWS\SysWOW64\win32u.dll
0x0000000074420000  0x1333000  C:\WINDOWS\SysWOW64\SHELL32.dll
0x00000000742d0000  0xbd000   C:\WINDOWS\SysWOW64\msvcrt.dll
0x0000000077680000  0x38000   C:\WINDOWS\SysWOW64\cfgmgr32.dll
0x0000000076bd0000  0x88000   C:\WINDOWS\SysWOW64\shcore.dll
0x00000000763b0000  0x5c6000  C:\WINDOWS\SysWOW64\windows.storage.dll
0x00000000771c0000  0x78000   C:\WINDOWS\SysWOW64\advapi32.dll
0x0000000075ca0000  0x45000   C:\WINDOWS\SysWOW64\shlwapi.dll
0x0000000075cf0000  0xe000    C:\WINDOWS\SysWOW64\kernel.appcore.dll
0x0000000074280000  0x45000   C:\WINDOWS\SysWOW64\powrprof.dll
0x0000000076fc0000  0x14000   C:\WINDOWS\SysWOW64\profapi.dll
0x0000000075900000  0x93000   C:\WINDOWS\SysWOW64\OLEAUT32.dll
0x00000000759a0000  0x182000  C:\WINDOWS\SysWOW64\CRYPT32.dll
0x0000000075ed0000  0xe000    C:\WINDOWS\SysWOW64\MSASN1.dll
0x00000000734e0000  0x2c4000  C:\WINDOWS\SysWOW64\WININET.dll
0x00000000740c0000  0x8000    C:\WINDOWS\SysWOW64\VERSION.dll
0x0000000073a00000  0x3e3000  C:\WINDOWS\SysWOW64\msi.dll
0x0000000073440000  0x19000   C:\WINDOWS\SysWOW64\bcrypt.dll
0x0000000074140000  0x25000   C:\WINDOWS\SysWOW64\IMM32.DLL
0x0000000073460000  0x79000   C:\WINDOWS\SysWOW64\uxtheme.dll
0x0000000070660000  0x8000    C:\WINDOWS\SysWOW64\DPAPI.dll
0x0000000070420000  0x16000   C:\WINDOWS\SysWOW64\CLDAPI.dll
0x0000000070410000  0x8000    C:\WINDOWS\SysWOW64\FLTLIB.DLL
0x00000000703d0000  0x3b000   C:\WINDOWS\SysWOW64\AEPIC.dll
0x00000000733e0000  0x28000   C:\WINDOWS\SysWOW64\ntmarta.dll
0x00000000708a0000  0x13000   C:\WINDOWS\SysWOW64\cryptsp.dll
0x0000000070250000  0x17a000  C:\WINDOWS\SysWOW64\PROPSYS.dll
0x0000000076c80000  0x82000   C:\WINDOWS\SysWOW64\clbcatq.dll
0x0000000073050000  0x3d000   C:\WINDOWS\SysWOW64\edputil.dll
0x000000006af90000  0x84000   C:\Windows\SysWOW64\Windows.StateRepositoryPS.dll
0x0000000072c60000  0x18c000  C:\WINDOWS\SysWOW64\urlmon.dll
0x0000000076c60000  0x19000   C:\WINDOWS\SysWOW64\imagehlp.dll
0x0000000072980000  0x219000  C:\WINDOWS\SysWOW64\iertutil.dll
0x000000006ff50000  0x5e000   C:\WINDOWS\SysWOW64\msiso.dll
0x0000000073180000  0x9a000   C:\WINDOWS\SysWOW64\apphelp.dll

我真的想使用PowerShell访问隐藏在64位dll后面的32位dll列表,有没有办法可以做到这一点?

由于

1 个答案:

答案 0 :(得分:0)

您可以为这些进程运行32位PowerShell会话。以下假设已在主机上运行Enable-PSRemoting,并且父级是64位会话提升:

$ps32 = New-PSSession -ConfigurationName microsoft.powershell32

$getModules = { Get-Process -Name jusched | Select-Object -ExpandProperty modules }

& $getModules
Write-Output "----"
Invoke-Command -Session $ps32 -ScriptBlock $getModules
相关问题
最新问题