Get current Image Base address

Question

I made some computations to get a relative virtual address(RVA).

I compute a correct RVA (according to the .map file) and I want to translate it to a callable function pointer.

Is there a way to translate it to a physical address?

I have thought of taking the image base address and add it. According to this thread it should be possible via GetModuleHandle(NULL), but the result is "wrong". I only have a good result when I subtract a pointer from a function from its RVA defined in the .map file.

Is there a WINAPI to either convert a RVA to a physical address, or get the image base address, or get the RVA of a physical address?

Here's some example code:

#include <stdio.h>
#include <Windows.h>
#include <WinNT.h>

static int count = 0;
void reference()       // According to .map RVA = 0x00401000
{
}
void toCall()          // According to .map RVA = 0x00401030
{
    printf("Called %d\n", ++count);
}

int main()
{
    typedef void (*fnct_t)();
    fnct_t fnct;
    fnct = (fnct_t) (0x00401030 + (((int) reference) - 0x00401000));
    fnct(); // works
    fnct = (fnct_t) (0x00401030 + ((int) GetModuleHandle(NULL)) - 0x00400000);
    fnct(); // often works
    return 0;
}

My main concern is that it seems that sometimes (maybe in threaded contexts) GetModuleHandle(NULL) isn't correct.

`GetModuleHandle(NULL) but the result is "wrong".` - what you mean ? `physical address` - you mean *virtual address* (VA) ? `VA== ImageBase + RVA` — RbMm, Feb 09 '17 at 00:42
Physical addresses are relevant to drivers. You work with virtual addresses. Do you mean absolute rather than physical? — David Heffernan, Feb 09 '17 at 08:20
Probably, I mean "the right level to be able to call it from a function pointer", is it virtual address? — GlinesMome, Feb 09 '17 at 18:34

Droopy · Accepted Answer · 2017-02-10T11:09:19.310

To get the image base without the entry point being predefined directly at compile-time you can do, a simple search from aligning eax@1000h from the current VA and looping until a valid PE signature 'MZ' is found in the current memory page.

Assuming the base address is not relocated into another PE image. I've prepared a function for you:

DWORD FindImageBase() {
    DWORD* VA = (DWORD *) &FindImageBase, ImageBase;
    __asm {
            mov eax, VA
            and eax, 0FFFF0000h
        search:
            cmp word ptr [eax], 0x5a4d
            je stop
            sub eax, 00010000h
            jmp search
        stop:
            mov [ImageBase], 0
            mov [ImageBase], eax
    }
    return ImageBase;
}

Why the `mov [ImageBase], 0` before `mov [ImageBase], eax`? – Pezo Jan 26 '18 at 14:37 — Pezo, Jan 26 '18 at 14:37

Get current Image Base address

1 Answers1