CreateProcess GetBaseAdress

[ragdog]

Hi

Can I get with CreateProcess the base adress?

thanks

[redskull]

GetModuleHandle is probably the best bet for the image base address, however it's not really necessary; processess are always (well, normally) loaded at 400000.  If you are looking for the entry point, you can check the header.  The caveat is programs which have been linked with a different base address via /BASE and Vista programs that link with the /DYNAMICBASE option, which invokes the ASLR support (address space layout randomization), causing vista to shuffle everything around randomly, in order to discourage people who assume set addressess.

-r

[clive]

But to what end? The address will exist in a different virtual address space context than the process creating it.

-Clive

[Ghandi]

If you care to code a debugger, you will receive a notification when the process is created and as part of that notification you can access information such as the imagebase, entrypoint, etc.

http://msdn.microsoft.com/en-us/library/ms679302(VS.85).aspx

CREATE_PROCESS_DEBUG_EVENT

Generated whenever a new process is created in a process being debugged or whenever the debugger begins debugging an already active process. The system generates this debugging event before the process begins to execute in user mode and before the system generates any other debugging events for the new process.
The DEBUG_EVENT structure contains a CREATE_PROCESS_DEBUG_INFO structure. This structure includes a handle to the new process, a handle to the process's image file, a handle to the process's initial thread, and other information that describes the new process.

The handle to the process has PROCESS_VM_READ and PROCESS_VM_WRITE access. If a debugger has these types of access to a thread, it can read and write to the process's memory by using the ReadProcessMemory and WriteProcessMemory functions. If the system previously reported an EXIT_PROCESS_DEBUG_EVENT event, the system closes this handle when the debugger calls the ContinueDebugEvent function.

The handle to the process's image file has GENERIC_READ access and is opened for read-sharing. The debugger should close this handle while processing CREATE_PROCESS_DEBUG_EVENT.

The handle to the process's initial thread has THREAD_GET_CONTEXT, THREAD_SET_CONTEXT, and THREAD_SUSPEND_RESUME access to the thread. If a debugger has these types of access to a thread, it can read from and write to the thread's registers by using the GetThreadContext and SetThreadContext functions and can suspend and resume the thread by using the SuspendThread and ResumeThread functions. If the system previously reported an EXIT_PROCESS_DEBUG_EVENT event, the system closes this handle when the debugger calls the ContinueDebugEvent function.

As part of the DEBUG_EVENT structure filled out there is another structure:

typedef struct _CREATE_PROCESS_DEBUG_INFO {
 HANDLE                 hFile;
 HANDLE                 hProcess;
 HANDLE                 hThread;
 LPVOID                 lpBaseOfImage;
 DWORD                  dwDebugInfoFileOffset;
 DWORD                  nDebugInfoSize;
 LPVOID                 lpThreadLocalBase;
 LPTHREAD_START_ROUTINE lpStartAddress;
 LPVOID                 lpImageName;
 WORD                   fUnicode;
} CREATE_PROCESS_DEBUG_INFO, *LPCREATE_PROCESS_DEBUG_INFO;

Or if i have mistaken the context of your question and its more inline with what redskull and Clive have posted about:

With GetProcAddress we can get the address of an API locally, then apply that to a remote address but there are instances where the library will be loaded at a different base address and this means that it will not work. If you want to get the address remotely without injecting code you can use CreateToolhelp32Snapshot and Module32First/Module32Next to cycle through the loaded modules in the remote process. When you have found the one which you want the API from, load it locally and get the API address, then subtract the module base (imagebase) from it to get the RVA. Add the remote base address and you have the virtual address in the remote process.
HR,
Ghandi

[ragdog]

Thanks Ghandi and RedSkull

I have it solved with Module32First i think this is better this check if the process running
and if this get the imagebase.

greets