This is the extension of part 3. I'd like to explain few things in details. In part 3 we started discussion on PEB_LDR_DATA structure. The more details on it can be referenced in following MSDN article: http://msdn.microsoft.com/en-us/library/windows/desktop/aa813708%28v=vs.85%29.aspx As per MSDN, the structure looks like below: typedef struct _PEB_LDR_DATA { BYTE Reserved1[8]; PVOID Reserved2[3]; LIST_ENTRY InMemoryOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; The highlighted part according to MSDN, "The head of a doubly-linked list that contains the loaded modules for the process. Each item in the list is a pointer to an LDR_DATA_TABLE_ENTRY structure." The data type is LIST_ENTRY. According to MSDN, the structure is like below: typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY; Let's see what WinDbg says about it.