Text only | Text with Images

The MASM Forum Archive 2004 to 2012

General Forums => The Campus => Topic started by: ragdog on November 08, 2009, 09:24:32 PM

Title: Get Imagebase
Post by: ragdog on November 08, 2009, 09:24:32 PM
Hi

I have an quetsion to get the image base of a running process via CreateToolhelp32Snapshot?

For dll´s can i use this strModule.modBaseAddr gives a any function for running exe?

Greets,

Title: Re: Get Imagebase
Post by: Slugsnack on November 08, 2009, 10:03:46 PM
You could get PIDs with EnumProcesses()/CreateToolhelp32Snapshot() then for each PID, traverse the module list reading off modBaseAddr

If you want a code example, I can rustle something up, I'm pretty bored
Title: Re: Get Imagebase
Post by: ragdog on November 08, 2009, 10:10:32 PM
Thanks

I can get the baseaddr with modBaseAddr from an running exe?
from a dll module is this not problem

This is very nice have an example

Greets,
Title: Re: Get Imagebase
Post by: Larry Hammick on November 10, 2009, 12:25:13 PM
In C or ASM you can use GetModuleHandle. E.g. in ASM

Code Select
modulespec1 db "hotstuff.dll",0
modulespec2 db "user32.dll",0
...

invoke GetModuleHandle, addr modulespec1

The function GetModuleHandle is in kernel32.dll, and you might need to specify that. E.g. in Visual Basic:

Code Select
Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVaL lpModuleName As String) As Long
Title: Re: Get Imagebase
Post by: Slugsnack on November 10, 2009, 06:02:29 PM
(http://img697.imageshack.us/img697/8592/51443189.png)

Code Select
include \masm32\include\masm32rt.inc

.data

newline             DWORD                0A0D0A0Dh, 0

.data?

pe32                PROCESSENTRY32      <>
me32                MODULEENTRY32       <>

.code
  Start:

  invoke AllocConsole

  invoke GetStdHandle, STD_OUTPUT_HANDLE
mov ebx, eax

  invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, NULL
mov esi, eax

mov pe32.dwSize, sizeof PROCESSENTRY32
mov me32.dwSize, sizeof MODULEENTRY32

  invoke Process32First, esi, addr pe32

  WalkProcesses:

  invoke SetConsoleTextAttribute, ebx, FOREGROUND_RED OR FOREGROUND_INTENSITY
    print addr newline
    print "Process :", 9
    print addr pe32.szExeFile, 13, 10, 13, 10, 9

  invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, pe32.th32ProcessID
mov edi, eax

  invoke SetConsoleTextAttribute, ebx, FOREGROUND_GREEN OR FOREGROUND_INTENSITY
  invoke Module32First, edi, addr me32

  @@:

    print addr me32.szModule, 9, "0x"
    print uhex$( me32.modBaseAddr ), 13, 10, 9
  invoke Module32Next, edi, addr me32
test eax, eax
jnz @b

  invoke CloseHandle, edi
  invoke Process32Next, esi, addr pe32
test eax, eax
jnz WalkProcesses

  invoke CloseHandle, esi

    print "Press any key to exit.. "

  @@:

  invoke Sleep, 100
  invoke crt__kbhit
test eax, eax
jz @b

  invoke CloseHandle, ebx
  invoke FreeConsole
  invoke ExitProcess, 0

  end Start
Title: Re: Get Imagebase
Post by: ragdog on November 13, 2009, 10:02:52 PM
Thanks for you reply

Sorry i have post to late i must go working this week and i has no inet.
i have coded a light different version of this this week Slugsnack  :U

Can you tell me how this works this color cmd function?
this is a nice idea for my new project.

Greets,
Title: Re: Get Imagebase
Post by: evlncrn8 on November 13, 2009, 10:08:11 PM
invoke SetConsoleTextAttribute, ebx, FOREGROUND_GREEN OR FOREGROUND_INTENSITY

does the color bit...
set the desired color, output the data..
Text only | Text with Images