0

If a process has loaded a certain dll in its address space, how can I determine where the dll 's base address is? I have tried using depends.exe but the address it gives is not authentic. The method I am using now is to write a simple WinAPI program, disassemble it and check the address in the call instruction. However this method is quite time consuming...

Thanks!

Richard D.
  • 37
  • 4
  • I think you could use a tool like: http://www.pe-explorer.com/peexplorer-tour-function-view.htm or http://msdn.microsoft.com/en-us/library/756as972.aspx. If you use `GetModuleHandle()` the return value should be the base address. – Cyclonecode Mar 24 '14 at 00:25
  • possible duplicate of [EXE or DLL Image base address](http://stackoverflow.com/questions/4298331/exe-or-dll-image-base-address) – Cyclonecode Mar 24 '14 at 00:28
  • You have been very helpful! Thanks a lot! However, if I move one step further, how can I determine the entry point of a certain function, for example, `MessageBoxA()`? Is there another function similar to `GetModuleHandle()` that can return the entry address of a function? – Richard D. Mar 24 '14 at 04:18
  • To get the address of a function I guess you could do: `void address = (void)MessageBoxA;`. Here is a link that talks about functions pointers: http://www.cprogramming.com/reference/addressfunction.html – Cyclonecode Mar 24 '14 at 11:59
  • Why don't you use GetProcAddress? – manuell Mar 24 '14 at 12:23
  • Thank you! `GetProcAddress` is really an effective way! – Richard D. Mar 24 '14 at 15:03

0 Answers0