0

Im looking for a method/function that i can use to get base address of "program.exe"+03262C08 -> B4895A0. This address is from Cheat Engine and base address has been found with Pointer scanner. In pointer scanner i can press show module list and there is address of program.exe starting at address 00400000 program.exe. Pointer scanner was scanned for address 09c3000(The address which i want to reach after base address+many offsets[the final address]). This address is base for certain object but i cant reach the address. I'm able to get only base address of exe file at 00400000. I'm trying to add offsets from pointer 03262C08(and the others) but i cant still reach the address. I cant use function FindWindow(). Becouse a name of the program will be changing and it will be redundant to stick with it. I'm using OpenProcess(), EnumProcessModulesEx(), GetModuleFileNameEx() functions. I have tried others as well like GetModuleInformation(),... with the same result. GetModuleHandle() ended with result 0x126 [ERROR_MOD_NOT_FOUND]. I'm using 64 bit OS and I'm trying to get base address of another process. I can see all processes on local machine and modules of "program" process.

if (!K32EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded)) {
    return 1;
}

cProcesses = cbNeeded / sizeof(DWORD);

cout << setw(15) << left << "Process ID" << setw(10) << left << "Modules";
cout << setw(30) << left << "Process Name" << endl;
for (i = 0; i < cProcesses; i++) {
    if (aProcesses[i] != 0) {
        ProcessView::GetProccesses(aProcesses[i], modules, sizeModules, &cModules, &hCurrProcess);
        if (hCurrProcess != NULL) {
            cout << endl << setw(15) << left << aProcesses[i] << setw(10) << left << cModules;
            ProcessView::PrintModuleName(hCurrProcess, modules);
            CloseHandle(hCurrProcess);
        }

    }
}
ProcessView::GetProccesses(cProcesses, modules, sizeModules, &cModules, &hCurrProcess);

system("cls");
ProcessView::PrintModuleNameAll(hCurrProcess, modules, cModules);

I added here definition of function in example from ProcessView.h file that i have created.

static void GetProccesses(_In_ DWORD processID, _Inout_ HMODULE ahModules[], _In_ int sizeModules, _Out_ DWORD* cModules, _Out_ HANDLE* hProcess);
static void PrintModuleName(_In_ HANDLE processID, _In_ HMODULE* modules);
static void PrintModuleNameAll(_In_ HANDLE hProcess, _In_ HMODULE * modules, _In_ DWORD cModules);
klutt
  • 30,332
  • 17
  • 55
  • 95
Emil Mein
  • 33
  • 1
  • 5
  • [Duplicate](https://stackoverflow.com/questions/11564148)? or do you just want the running processes? – Barmak Shemirani Oct 19 '17 at 06:51
  • No. Im trying to read process memory `ReadProcessMemory()` from certain address throught exe file running like process and not throught a `FindWindow()` functions. – Emil Mein Oct 19 '17 at 08:10
  • Are you sure that the address in question belongs to exe (not a dll, not a heap, etc)? – KonstantinL Oct 19 '17 at 08:52
  • Actually I am not sure about the meaning of _i cant still reach the address_. Could you rephrase it? – KonstantinL Oct 19 '17 at 08:56
  • `"program.exe"+03262C08 -> B4895A0` in cheat engine (base address). The `B4895A0` i want to get but i get only base address of exe file on `0x00400000`. This `0x00400000` im able to get through code and even Im able to find it in CE (full path after pointer scanning: Right click on a address -> show modulelist). But i cant reach this `B4895A0` with `0x400000 + 0x3262C08 !-> 0xB4895A0`. – Emil Mein Oct 19 '17 at 09:07
  • The numbers look wrong. Modules are always at least page aligned in memory, i.e. at multiples of 0x1000. You cannot add a value ending in 0xC08 to a base address, and have it produce a final value with different values in the least significant 3 hex digits. The problem you have described is not the problem you want to solve. – IInspectable Oct 19 '17 at 11:25
  • Possible duplicate of [How to get the starting/base address of a process in C++?](https://stackoverflow.com/questions/11564148/how-to-get-the-starting-base-address-of-a-process-in-c) – GuidedHacking Feb 05 '18 at 03:51

2 Answers2

1

Windows has been using Address Space Layout Randomization for about a decade now, but the module base in EXE's is far older than that. Simply ignore it, it's now meaningless.

And don't forget: each process has its own address space. A pointer in one process is meaningless in the other.

MSalters
  • 173,980
  • 10
  • 155
  • 350
1

To use ReadProcessMemory or WriteProcessMemory on an address which is found via pointer chain on a process and dynamically get the module base address at runtime you need to accomplish these steps:

  • Find the Process with ToolHelp32Snapshot
  • Find the Module with ToolHelp32Snapsho
  • Get a handle to the process with correct permissions
  • Walk the pointer chain, de-referencing and adding offsets
  • Then you can Call ReadProcessMemory or WriteProcessMemory
  • You must run as administrator

For this example I will use a simple assault cube cheat I've made

#include <iostream>
#include <vector>
#include <Windows.h>
#include "proc.h"

int main()
{
    //Get ProcId of the target process
    DWORD procId = GetProcId(L"ac_client.exe");

    //Getmodulebaseaddress
    uintptr_t moduleBase = GetModuleBaseAddress(procId, L"ac_client.exe");

    //Get Handle to Process
    HANDLE hProcess = 0;
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, procId);

    //Resolve base address of the pointer chain
    uintptr_t dynamicPtrBaseAddr = moduleBase + 0x10f4f4;

    std::cout << "DynamicPtrBaseAddr = " << "0x" << std::hex << dynamicPtrBaseAddr << std::endl;

    //Resolve our ammo pointer chain
    std::vector<unsigned int> ammoOffsets = { 0x374, 0x14, 0x0 };
    uintptr_t ammoAddr = FindDMAAddy(hProcess, dynamicPtrBaseAddr, ammoOffsets);

    std::cout << "ammoAddr = " << "0x" << std::hex << ammoAddr << std::endl;

    //Read Ammo value
    int ammoValue = 0;

    ReadProcessMemory(hProcess, (BYTE*)ammoAddr, &ammoValue, sizeof(ammoValue), nullptr);
    std::cout << "Curent ammo = " << std::dec << ammoValue << std::endl;

    //Write to it
    int newAmmo = 1337;
    WriteProcessMemory(hProcess, (BYTE*)ammoAddr, &newAmmo, sizeof(newAmmo), nullptr);

    //Read out again
    ReadProcessMemory(hProcess, (BYTE*)ammoAddr, &ammoValue, sizeof(ammoValue), nullptr);

    std::cout << "New ammo = " << std::dec << ammoValue << std::endl;

    getchar();
    return 0;
}

The header file proc.cpp:

DWORD GetProcId(const wchar_t* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_wcsicmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));

        }
    }
    CloseHandle(hSnap);
    return procId;
}

uintptr_t GetModuleBaseAddress(DWORD procId, const wchar_t* modName)
{
    uintptr_t modBaseAddr = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
    if (hSnap != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 modEntry;
        modEntry.dwSize = sizeof(modEntry);
        if (Module32First(hSnap, &modEntry))
        {
            do
            {
                if (!_wcsicmp(modEntry.szModule, modName))
                {
                    modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnap, &modEntry));
        }
    }
    CloseHandle(hSnap);
    return modBaseAddr;
}

uintptr_t FindDMAAddy(HANDLE hProc, uintptr_t ptr, std::vector<unsigned int> offsets)
{
    uintptr_t addr = ptr;
    for (unsigned int i = 0; i < offsets.size(); ++i)
    {
        ReadProcessMemory(hProc, (BYTE*)addr, &addr, sizeof(addr), 0);
        addr += offsets[i];
    }
    return addr;
}
GuidedHacking
  • 3,628
  • 1
  • 9
  • 59