News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Get Imagebase

Started by ragdog, November 08, 2009, 09:24:32 PM

Previous topic - Next topic

ragdog

Hi

I have an quetsion to get the image base of a running process via CreateToolhelp32Snapshot?

For dll´s can i use this strModule.modBaseAddr gives a any function for running exe?

Greets,


Slugsnack

You could get PIDs with EnumProcesses()/CreateToolhelp32Snapshot() then for each PID, traverse the module list reading off modBaseAddr

If you want a code example, I can rustle something up, I'm pretty bored

ragdog

Thanks

I can get the baseaddr with modBaseAddr from an running exe?
from a dll module is this not problem

This is very nice have an example

Greets,

Larry Hammick

In C or ASM you can use GetModuleHandle. E.g. in ASM

modulespec1 db "hotstuff.dll",0
modulespec2 db "user32.dll",0
...

invoke GetModuleHandle, addr modulespec1


The function GetModuleHandle is in kernel32.dll, and you might need to specify that. E.g. in Visual Basic:

Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVaL lpModuleName As String) As Long

Slugsnack



include \masm32\include\masm32rt.inc

.data

newline             DWORD                0A0D0A0Dh, 0

.data?

pe32                PROCESSENTRY32      <>
me32                MODULEENTRY32       <>

.code
  Start:

  invoke AllocConsole

  invoke GetStdHandle, STD_OUTPUT_HANDLE
mov ebx, eax

  invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, NULL
mov esi, eax

mov pe32.dwSize, sizeof PROCESSENTRY32
mov me32.dwSize, sizeof MODULEENTRY32

  invoke Process32First, esi, addr pe32

  WalkProcesses:

  invoke SetConsoleTextAttribute, ebx, FOREGROUND_RED OR FOREGROUND_INTENSITY
    print addr newline
    print "Process :", 9
    print addr pe32.szExeFile, 13, 10, 13, 10, 9

  invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, pe32.th32ProcessID
mov edi, eax

  invoke SetConsoleTextAttribute, ebx, FOREGROUND_GREEN OR FOREGROUND_INTENSITY
  invoke Module32First, edi, addr me32

  @@:

    print addr me32.szModule, 9, "0x"
    print uhex$( me32.modBaseAddr ), 13, 10, 9
  invoke Module32Next, edi, addr me32
test eax, eax
jnz @b

  invoke CloseHandle, edi
  invoke Process32Next, esi, addr pe32
test eax, eax
jnz WalkProcesses

  invoke CloseHandle, esi

    print "Press any key to exit.. "

  @@:

  invoke Sleep, 100
  invoke crt__kbhit
test eax, eax
jz @b

  invoke CloseHandle, ebx
  invoke FreeConsole
  invoke ExitProcess, 0

  end Start

ragdog

Thanks for you reply

Sorry i have post to late i must go working this week and i has no inet.
i have coded a light different version of this this week Slugsnack  :U

Can you tell me how this works this color cmd function?
this is a nice idea for my new project.

Greets,

evlncrn8

invoke SetConsoleTextAttribute, ebx, FOREGROUND_GREEN OR FOREGROUND_INTENSITY

does the color bit...
set the desired color, output the data..