Last active
September 16, 2019 04:58
-
-
Save mattifestation/92062cb8d6fb887f2fcb7fb7482af5a5 to your computer and use it in GitHub Desktop.
Enumerating module base addresses for a process using only WMI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Get-CimInstance -ClassName Win32_Process -Filter "ProcessID = $PID" -Property Handle | % { | |
| Get-CimInstance -ClassName CIM_ProcessExecutable -Filter "Dependent = 'Win32_Process.Handle=$($_.Handle)'" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment