如何使用PowerShell在64位系统上运行的32位进程中查看dll?
[英]How can I see dlls in a 32-bit process running on a 64-bit system with PowerShell?
问题描述
When you look at a process with PowerShell's Get-Process, you can see all of the dlls loaded into memory. 
当您使用PowerShell的Get-Process查看进程时,可以看到所有dll都已加载到内存中。 When I do this for a 32-bit process running on a 64-bit system, I can only see the 64-bit dlls necessary to run a 32-bit process, and not the actual dlls this process is using. 当我对在64位系统上运行的32位进程执行此操作时,只能看到运行32位进程所需的64位dll,而看不到该进程使用的实际dll。
For example: 例如:
On my Windows 10 machine, I see the following output with command line and PowerShell for Java's 32-bit update scheduler: 在Windows 10计算机上,我看到以下带有命令行的输出以及Java 32位更新调度程序的PowerShell:
"jusched.exe","10288","ntdll.dll,wow64.dll,wow64win.dll,wow64cpu.dll"
But, when I run SysInternals Listdlls.exe, I see a much longer list: 但是,当我运行SysInternals Listdlls.exe时,会看到更长的列表:
jusched.exe pid: 10288
Command line: "C:\Program Files (x86)\Common Files\Java\Java
Update\jusched.exe"
Base Size Path
0x0000000000ff0000 0x92000 C:\Program Files (x86)\Common Files\Java\Java
Update\jusched.exe
0x0000000098e10000 0x1e0000 C:\WINDOWS\SYSTEM32\ntdll.dll
0x0000000051b20000 0x51000 C:\WINDOWS\System32\wow64.dll
0x0000000051b90000 0x76000 C:\WINDOWS\System32\wow64win.dll
0x0000000051b80000 0xa000 C:\WINDOWS\System32\wow64cpu.dll
0x0000000000ff0000 0x92000 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
0x00000000776c0000 0x18d000 C:\WINDOWS\SysWOW64\ntdll.dll
0x0000000075830000 0xd0000 C:\WINDOWS\SysWOW64\KERNEL32.DLL
0x0000000076d10000 0x1d7000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
0x0000000074170000 0xf7000 C:\WINDOWS\SysWOW64\ole32.dll
0x0000000076980000 0x246000 C:\WINDOWS\SysWOW64\combase.dll
0x00000000770a0000 0x117000 C:\WINDOWS\SysWOW64\ucrtbase.dll
0x0000000076fe0000 0xbe000 C:\WINDOWS\SysWOW64\RPCRT4.dll
0x00000000740e0000 0x20000 C:\WINDOWS\SysWOW64\SspiCli.dll
0x00000000740d0000 0xa000 C:\WINDOWS\SysWOW64\CRYPTBASE.dll
0x00000000757d0000 0x57000 C:\WINDOWS\SysWOW64\bcryptPrimitives.dll
0x0000000075e80000 0x43000 C:\WINDOWS\SysWOW64\sechost.dll
0x0000000074110000 0x22000 C:\WINDOWS\SysWOW64\GDI32.dll
0x0000000075d00000 0x15e000 C:\WINDOWS\SysWOW64\gdi32full.dll
0x0000000076f40000 0x7c000 C:\WINDOWS\SysWOW64\msvcp_win.dll
0x0000000076030000 0x175000 C:\WINDOWS\SysWOW64\USER32.dll
0x0000000075e60000 0x16000 C:\WINDOWS\SysWOW64\win32u.dll
0x0000000074420000 0x1333000 C:\WINDOWS\SysWOW64\SHELL32.dll
0x00000000742d0000 0xbd000 C:\WINDOWS\SysWOW64\msvcrt.dll
0x0000000077680000 0x38000 C:\WINDOWS\SysWOW64\cfgmgr32.dll
0x0000000076bd0000 0x88000 C:\WINDOWS\SysWOW64\shcore.dll
0x00000000763b0000 0x5c6000 C:\WINDOWS\SysWOW64\windows.storage.dll
0x00000000771c0000 0x78000 C:\WINDOWS\SysWOW64\advapi32.dll
0x0000000075ca0000 0x45000 C:\WINDOWS\SysWOW64\shlwapi.dll
0x0000000075cf0000 0xe000 C:\WINDOWS\SysWOW64\kernel.appcore.dll
0x0000000074280000 0x45000 C:\WINDOWS\SysWOW64\powrprof.dll
0x0000000076fc0000 0x14000 C:\WINDOWS\SysWOW64\profapi.dll
0x0000000075900000 0x93000 C:\WINDOWS\SysWOW64\OLEAUT32.dll
0x00000000759a0000 0x182000 C:\WINDOWS\SysWOW64\CRYPT32.dll
0x0000000075ed0000 0xe000 C:\WINDOWS\SysWOW64\MSASN1.dll
0x00000000734e0000 0x2c4000 C:\WINDOWS\SysWOW64\WININET.dll
0x00000000740c0000 0x8000 C:\WINDOWS\SysWOW64\VERSION.dll
0x0000000073a00000 0x3e3000 C:\WINDOWS\SysWOW64\msi.dll
0x0000000073440000 0x19000 C:\WINDOWS\SysWOW64\bcrypt.dll
0x0000000074140000 0x25000 C:\WINDOWS\SysWOW64\IMM32.DLL
0x0000000073460000 0x79000 C:\WINDOWS\SysWOW64\uxtheme.dll
0x0000000070660000 0x8000 C:\WINDOWS\SysWOW64\DPAPI.dll
0x0000000070420000 0x16000 C:\WINDOWS\SysWOW64\CLDAPI.dll
0x0000000070410000 0x8000 C:\WINDOWS\SysWOW64\FLTLIB.DLL
0x00000000703d0000 0x3b000 C:\WINDOWS\SysWOW64\AEPIC.dll
0x00000000733e0000 0x28000 C:\WINDOWS\SysWOW64\ntmarta.dll
0x00000000708a0000 0x13000 C:\WINDOWS\SysWOW64\cryptsp.dll
0x0000000070250000 0x17a000 C:\WINDOWS\SysWOW64\PROPSYS.dll
0x0000000076c80000 0x82000 C:\WINDOWS\SysWOW64\clbcatq.dll
0x0000000073050000 0x3d000 C:\WINDOWS\SysWOW64\edputil.dll
0x000000006af90000 0x84000 C:\Windows\SysWOW64\Windows.StateRepositoryPS.dll
0x0000000072c60000 0x18c000 C:\WINDOWS\SysWOW64\urlmon.dll
0x0000000076c60000 0x19000 C:\WINDOWS\SysWOW64\imagehlp.dll
0x0000000072980000 0x219000 C:\WINDOWS\SysWOW64\iertutil.dll
0x000000006ff50000 0x5e000 C:\WINDOWS\SysWOW64\msiso.dll
0x0000000073180000 0x9a000 C:\WINDOWS\SysWOW64\apphelp.dll
I would really like to access the list of 32-bit dlls hiding behind the 64-bit dlls using just PowerShell, is there a way I can do this? 我真的很想仅使用PowerShell访问隐藏在64位dll后面的32位dll列表,有什么办法可以做到这一点?
Thanks 谢谢
1 个解决方案
解决方案1
0 2018-01-27 00:23:53
You could could run a 32-bit powershell session for these processes. 您可以为这些进程运行32位powershell会话。 The following assumes Enable-PSRemoting has been run on the host and that the parent is an elevated 64-bit session: 以下假设Enable-PSRemoting已在主机上运行,并且父服务器是提升的64位会话:
$ps32 = New-PSSession -ConfigurationName microsoft.powershell32
$getModules = { Get-Process -Name jusched | Select-Object -ExpandProperty modules }
& $getModules
Write-Output "----"
Invoke-Command -Session $ps32 -ScriptBlock $getModules
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.