The MASM Forum Archive 2004 to 2012
Welcome, Guest. Please login or register.
April 03, 2020, 04:14:38 PM

Login with username, password and session length
Search:     Advanced search
128553 Posts in 15254 Topics by 684 Members
Latest Member: mottt
* Home Help Search Login Register
+  The MASM Forum Archive 2004 to 2012
|-+  General Forums
| |-+  The Campus
| | |-+  Get Imagebase
« previous next »
Pages: [1] Print
Author Topic: Get Imagebase  (Read 5753 times)
ragdog
Member
*****
Posts: 1008


Get Imagebase
« on: November 08, 2009, 09:24:32 PM »

Hi

I have an quetsion to get the image base of a running process via CreateToolhelp32Snapshot?

For dll´s can i use this strModule.modBaseAddr gives a any function for running exe?

Greets,

Logged
Slugsnack
Member
*****
Posts: 463


Re: Get Imagebase
« Reply #1 on: November 08, 2009, 10:03:46 PM »

You could get PIDs with EnumProcesses()/CreateToolhelp32Snapshot() then for each PID, traverse the module list reading off modBaseAddr

If you want a code example, I can rustle something up, I'm pretty bored
Logged
ragdog
Member
*****
Posts: 1008


Re: Get Imagebase
« Reply #2 on: November 08, 2009, 10:10:32 PM »

Thanks

I can get the baseaddr with modBaseAddr from an running exe?
from a dll module is this not problem

This is very nice have an example

Greets,
Logged
Larry Hammick
Guest


Email
Re: Get Imagebase
« Reply #3 on: November 10, 2009, 12:25:13 PM »

In C or ASM you can use GetModuleHandle. E.g. in ASM

Code:
modulespec1 db "hotstuff.dll",0
modulespec2 db "user32.dll",0
...

invoke GetModuleHandle, addr modulespec1

The function GetModuleHandle is in kernel32.dll, and you might need to specify that. E.g. in Visual Basic:

Code:
Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVaL lpModuleName As String) As Long
Logged
Slugsnack
Member
*****
Posts: 463


Re: Get Imagebase
« Reply #4 on: November 10, 2009, 06:02:29 PM »



Code:
include \masm32\include\masm32rt.inc

.data

newline             DWORD                0A0D0A0Dh, 0

.data?

pe32                PROCESSENTRY32      <>
me32                MODULEENTRY32       <>

.code
  Start:

  invoke AllocConsole

  invoke GetStdHandle, STD_OUTPUT_HANDLE
mov ebx, eax

  invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, NULL
mov esi, eax

mov pe32.dwSize, sizeof PROCESSENTRY32
mov me32.dwSize, sizeof MODULEENTRY32

  invoke Process32First, esi, addr pe32

  WalkProcesses:

  invoke SetConsoleTextAttribute, ebx, FOREGROUND_RED OR FOREGROUND_INTENSITY
    print addr newline
    print "Process :", 9
    print addr pe32.szExeFile, 13, 10, 13, 10, 9

  invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, pe32.th32ProcessID
mov edi, eax

  invoke SetConsoleTextAttribute, ebx, FOREGROUND_GREEN OR FOREGROUND_INTENSITY
  invoke Module32First, edi, addr me32

  @@:

    print addr me32.szModule, 9, "0x"
    print uhex$( me32.modBaseAddr ), 13, 10, 9
  invoke Module32Next, edi, addr me32
test eax, eax
jnz @b

  invoke CloseHandle, edi
  invoke Process32Next, esi, addr pe32
test eax, eax
jnz WalkProcesses

  invoke CloseHandle, esi

    print "Press any key to exit.. "

  @@:

  invoke Sleep, 100
  invoke crt__kbhit
test eax, eax
jz @b

  invoke CloseHandle, ebx
  invoke FreeConsole
  invoke ExitProcess, 0

  end Start
Logged
ragdog
Member
*****
Posts: 1008


Re: Get Imagebase
« Reply #5 on: November 13, 2009, 10:02:52 PM »

Thanks for you reply

Sorry i have post to late i must go working this week and i has no inet.
i have coded a light different version of this this week Slugsnack  ThumbsUp

Can you tell me how this works this color cmd function?
this is a nice idea for my new project.

Greets,
Logged
evlncrn8
Member
*****
Posts: 320


Re: Get Imagebase
« Reply #6 on: November 13, 2009, 10:08:11 PM »

invoke SetConsoleTextAttribute, ebx, FOREGROUND_GREEN OR FOREGROUND_INTENSITY

does the color bit...
set the desired color, output the data..
Logged
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP The MASM Forum Archive 2004 to 2012 | Powered by SMF 1.0.12.
© 2001-2005, Lewis Media. All Rights Reserved.
Valid XHTML 1.0! Valid CSS!