[Vol-users] Working of ldrmodules ?

Hello Group, So am not sure, if I understood, the working of ldrmodules correctly, but in short, for each process, I imagine it looks at the VAD; and for each dll found there compares it with the 3 lists in the process PEB and reports back on any discrepancy. A snippet, from vadinfo for a process with pid 12128, I can see a dll mapped VAD node @ 0xfffffa80088378c0 Start 0x0000000000040000 End 0x0000000000040fff Tag Vad Flags: Protection: 7, VadType: 2 Protection: PAGE_EXECUTE_WRITECOPY Vad Type: VadImageMap ControlArea @fffffa8006a86c40 Segment fffff8a00021d4e0 Dereference list: Flink 00000000, Blink 00000000 NumberOfSectionReferences: 1 NumberOfPfnReferences: 1 NumberOfMappedViews: 119 NumberOfUserReferences: 120 WaitingForDeletion Event: 00000000 Control Flags: File: 1, Image: 1 FileObject @fffffa80069c5250, Name: \Windows\System32\apisetschema.dll First prototype PTE: fffff8a00021d5a8 Last contiguous PTE: fffffffffffffffc Flags2: Inherit: 1 But ldrmodules (or dlllist) over the image, does not show that dll. cat ldrmodules.txt | grep -i apiset cat dlllist.txt | grep -i apiset The process in question has a pid of 12128, so on a frequency count, there is a large discrepancy, that I don't understand why. cat ldrmodules.txt | grep 12128 | wc -l 54 cat vadinfo-12128.txt | grep dll | wc -l 130 Any pointers to a link I should read up on to understand the concepts here. Should not have ldrmodules, reported on all the dlls that were found as mapped files in the VAD ? Thanks, JB