RTL_PROCESS_MODULE_INFORMATION

The RTL_PROCESS_MODULE_INFORMATION structure is a recurring element in the RTL_PROCESS_MODULES structure that a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces at the start of its output buffer when given the information class SystemModuleInformation (0x0B).

Documentation Status

The RTL_PROCESS_MODULE_INFORMATION structure is not documented.

Layout

The RTL_PROCESS_MODULE_INFORMATION is 0x011C or 0x0128 bytes in 32-bit and 64-bit Windows 10, respectively.

Offset (x86) Offset (x64) Definition
0x00 0x00
PVOID Section;
0x04 0x08
PVOID MappedBase;
0x08 0x10
PVOID ImageBase;
0x0C 0x18
ULONG ImageSize;
0x10 0x1C
ULONG Flags;
0x14 0x20
USHORT LoadOrderIndex;
0x16 0x22
USHORT InitOrderIndex;
0x18 0x24
USHORT LoadCount;
0x1A 0x26
USHORT OffsetToFileName;
0x1C 0x28
CHAR FullPathName [0x0100];

The OffsetToFileName is the offset in bytes to the filename part of the FullPathName from the start of the FullPathName.