I need to get the base address address of a .exe which has a random base address everytime its started. I've tried this, but it doesn't seem to work:
int Base = (DWORD)GetModuleHandle("Test.exe");
What is wrong?
Asked
Active
Viewed 3,109 times
0
-
The method is correct in my test. Could you paste your whole code? Or are you trying to get another process's base address? – Keyu Gan Jun 13 '16 at 14:52
-
2Why do you think calling `GetModuleHandle` is supposed to do what you want? – Captain Obvlious Jun 13 '16 at 14:52
-
@CaptainObvlious Because `(DWORD)GetModuleHandle(0);` returns the base address for the current process. – Customality Jun 13 '16 at 14:53
-
2No it returns a handle to a loaded module. It just so happens the value of the handle is also the address where the module is _loaded in the calling processes address space_. – Captain Obvlious Jun 13 '16 at 14:54
-
1Not that any of this is going to get you anywhere, but the *base address* of a module and a module's *entry point* are different things. If you assume one to be the other, you'll die a quick death. Assuming 32-bit addresses will cause more suffering. – IInspectable Jun 13 '16 at 15:20
-
@PaulR, one process *can* modify the content of memory within another process, using `WriteProcessMemory()`. – Remy Lebeau Jun 13 '16 at 17:44
-
1@PaulR: `GetModuleHandle()` is a Windows-only function. `WriteProcessMemory()` is the Windows way of writing data across process boundaries. `OpenProcess()` will fail if the calling process does not have the requested security rights to open a handle to the specified process, and `ReadProcessMemory()` and `WriteProcessMemory()` will fail if the specified `HANDLE` does not have sufficient security rights to the specified process. Malware would use `ReadProcessMemory()` to inspect memory. If malware is running with sufficient rights, nothing will stop it from reading another process's memory. – Remy Lebeau Jun 13 '16 at 20:34
2 Answers
2
It seems you are trying to get another process's base address. Sadly, GetModuleHandle only works for modules in current process. To achieve your goal, you need to use PSAPIs or CreateToolhelp32Snapshot to extract the module list of another process. And base address is in the list.
Keyu Gan
- 711
- 5
- 17
-
@Customality, see this: http://stackoverflow.com/questions/14467229/get-base-address-of-process – Keyu Gan Jun 13 '16 at 15:00
-
1Since the OP is going to fiddle with memory of that other process anyway, a more direct solution would inject a DLL (using [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx) for example). Once you broke into someone else's house, you can call `GetModuleHandle(NULL)` to retrieve the base address of the executable image that was used to create the process. – IInspectable Jun 13 '16 at 15:10
1
I need to get the base address/entry point address of a .exe which has a random base address everytime its started. The program uses ASLR.
...
I will use it to edit certain chunks of memory inside the correct process
In order to write data into another process, you need to use WriteProcessMemory(), which requires you to open a HANDLE to the process being written to.
You get that HANDLE using OpenProcess(), requesting PROCESS_VM_OPERATION and PROCESS_VM_WRITE permissions. OpenProcess() takes a process ID as input, which you can get from:
CreateToolhelp32Snapshot()/Process32First()/Process32Next()EnumProcesses().WTSEnumerateProcesses()
See Process Enumeration and Enumerating All Processes.
At no point do you need to determine the base address of the process that is being written to. Let the system keep track of that information for you. All you need is the open HANDLE to the process.
Remy Lebeau
- 555,201
- 31
- 458
- 770
-
Uh ... surely you typically need the base address in order to calculate the virtual address of the static variable or code block you want to read or modify? (Which I assume you can do using Module32First/Module32Next.) – Harry Johnston Jun 13 '16 at 23:29
-
@HarryJohnston: The address passed to `ReadProcessMemory()` and `WriteProcessMemory()` is a virtual address that is relative to the base address of the process represented by the specified `HANDLE`. It is not relative to a particular module. So, you still do not need to know the base address of the process, only the relative virtual address of the target memory block within the process. How you get that address is a different issue. It may be statically known ahead of time. It may be determined dynamically by processing other memory blocks and following pointers. That is a very broad topic. – Remy Lebeau Jun 13 '16 at 23:47
-
@HarryJohnston: For a static variable, you might know its fixed offset within a module, and yes, you can retrieve the base address of a module within the process. From that, you can determine the virtual address of the variable within the process. – Remy Lebeau Jun 13 '16 at 23:49
-
Ah. I assumed that by "base address of the process" you meant the base address of the main module as loaded into the process - it seems clear to me that this is what the OP meant, at any rate. It sounds like you're talking about the base address of the entire virtual address space for the process, relative to some larger address space. I agree that you don't need that, in fact I don't think there even is such a thing - AFAIK, the various active parts of the address space are each tracked separately - but whatever. – Harry Johnston Jun 14 '16 at 01:56
-
@HarryJohnston: there is only one address space within a process, and all memory accesses are relative to that address space. There may be multiple modules, including the main module, running inside that address space. – Remy Lebeau Jun 14 '16 at 03:06
-
Yes. I'm just not sure how you could meaningfully define "the base address of the process" other than as a shorthand for "the base address of the *main module loaded into the* process". :-) – Harry Johnston Jun 14 '16 at 05:06