Is there any method to view the activation context of a running Windows process?
Ideally when I say "view" I mean to inspect it in a human-readable way, e.g. to see / confirm what DLLs have been loaded, etc.
My imagination is that some kind of debugger might attach to the running process and then display that information. But any kind of tool could be useful - debugger, log file, even using the activation context API to inspect things, etc.
One of the fundamental way of retrieving Activation Context details is by using the QueryActCtxW() API. This API can be used to query a bunch of details. A good sample is available here.
In the sample code, pay attention to below line.
// Request the first file in the root assembly
QueryIndex.ulAssemblyIndex = 1;
QueryActCtxW() API can be repeatedly called by incrementing the value of ulAssemblyIndex as long as it returns success. Each successful call will return requested details of assembly represented by ulAssemblyIndex.
Above will work when QueryActCtxW() is called from within a process.
Now if you want to get the details of another process, one idea is to wrap activation context retrieval logic inside a DLL. The DLL can dump the details to a disk file or Pipe it to a Viewer. Then inject this DLL to a given process by the means of techniques such as DLL Injection or by making use of CreateRemoteThread() API.
