Geek Answers Handbook

Get the base address of the process

I want to access a specific process address. But for this I need to first get the base address of the process. I use the tool to check if I am really doing it right. The tool shows that I need the following: "app.exe"+0x011F9B08 = 0x119F8300

I thought I could get the base address of the process through OpenProcess() , but this gives me: 0x0000005c as a result. I do not think this is right? At least not what I need.

I think I need a base address: 0x119F8300 - 0x011F9B08 = 0x107FE7F8 <-- base?

This is my code:

 hWindow = FindWindow(NULL, lpWindowName); if(hWindow) { GetWindowThreadProcessId(hWindow, &dwProcId); if(dwProcId != 0) { // hProcHandle -> 0x0000005c hProcHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId); } else { return 0; } }

How can I get the base address of the process that I opened?

+8
c ++ pointers windows
source share
2 answers

If you want to get a virtual address in a different address space of the process, you can do it like this:

  • Open the process using OpenProcess - if successful, the return value is a handle to the process, which is just an opaque token used by the kernel to identify the kernel object. Its exact integer value (0x5c in your case) does not make sense for user-space programs, except to distinguish it from other descriptors and invalid descriptors.
  • Call GetProcessImageFileName to get the name of the main executable of the process.
  • Use EnumProcessModules to list all the modules in the target process.
  • For each module, call GetModuleFileNameEx to get the file name, and compare it with the executable file name.
  • When you find the executable, call GetModuleInformation to get the source entry point of the executable.

This will give you a virtual address, but you won’t be able to do much with it, since it does not appear in your current process address space.

+5
source share

I wanted to talk a bit about @Adam Rosenfield's answer. I will use the League of Legends as an example here.

To open a process (getting a handle), we need a PID (process identifier). We can do this with a window handle (HWND), because the window name is usually known

 //You will need to change this the name of the window of the foreign process HWND WindowHandle = FindWindow(nullptr, L"League of Legends (TM) Client"); DWORD PID; GetWindowThreadProcessId(WindowHandle, &PID); PVOID hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, 0, PID);

Now that we can get the process descriptor, continue

 HMODULE Module = GetModule(); DWORD BaseAddress = (DWORD)Module;

Getmodule function

 HMODULE GetModule() { HMODULE hMods[1024]; HANDLE pHandle = GetHandle(); DWORD cbNeeded; unsigned int i; if (EnumProcessModules(pHandle, hMods, sizeof(hMods), &cbNeeded)) { for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++) { TCHAR szModName[MAX_PATH]; if (GetModuleFileNameEx(pHandle, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR))) { wstring wstrModName = szModName; //you will need to change this to the name of the exe of the foreign process wstring wstrModContain = L"League of Legends.exe"; if (wstrModName.find(wstrModContain) != string::npos) { CloseHandle(pHandle); return hMods[i]; } } } } return nullptr; }

as for me personally I like to write two separate functions for receiving a descriptor and one for receiving a module.

There we go, we have successfully received the base address of the foreign process.

+2
source share

More articles:


All Articles