How to find the base address of a process

[Subhadeep.Ghosh]

Hello,

It's me again. I wanted to know if there was a way in which I could find the base address of a process (the current process). I came across an article in which the author tries to find the base address by reading the preferred loading address. But I think it is unreliable so I wanted to know if there was some way in which this could be achieved in a more reliable manner.

Thank you in advance.

Regards,
Subhadeep Ghosh

[hutch--]

Have a look and see if the INSTANCE handle is what you need, it is normally the load address of an executable file. On an EXE its fixed at 400000h, on a DLL it varioes due to relocation if the preferred address is already taken.

You can get it with a simple call to GetModuleHandle().

[Subhadeep.Ghosh]

Hello,

Thank you Hutch for your reply. I was not aware that the instance handle which Windows sends is actually the loading address of the process. Thank you once again

Regards,
Subhadeep Ghosh

[Retsim_X]

hi if you REALLY need the base address you can use the folowing function. i needed it myself but for other purposes. it will work for EXE files...

i have done a few quick mods to it... but yea

Code Select Expand


.data
ModName db MAX_PATH dup (0)

.data?
ProcessList PROCESSENTRY32 <?>
ModuleList MODULEENTRY32 <?>

.code

start:
; do something here to find the process exe name.
; and move the name to the ModName variable

invoke CheckForProc
;return value is the base address

;should be 400000 but CAN change on different languages

ExtractShortFileName proc uses esi fnm:DWORD, incldir:DWORD
;well whats the name suggest it does lol. usefull function!!
mov esi, fnm
invoke lstrlen, esi
add esi, eax
std
@@:
lodsb
.IF al == '\'
.IF incldir > 0h
dec incldir
.ELSE
add esi, 2d
jmp FoundBackslash
.ENDIF
.ENDIF
cmp esi, fnm
ja @b

FoundBackslash:
cld
mov eax, esi
ret
ExtractShortFileName endp

CheckForProc PROC
LOCAL SnapShothmod:DWORD
LOCAL snapprocs:DWORD

; note: i have writen this as follows to search for MODULES not process's
; this is due to some games like fear... have a game****.tmp file...
; as a module which is what is needed to patch. not the exe itself

invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0         
; snapshot of the current process list
mov    snapprocs,eax

mov    ProcessList.dwSize,sizeof PROCESSENTRY32

invoke Process32First,eax,addr ProcessList                   
; get first process
jmp    GetRunningApps_Chk

GetRunningApps_Loop: ; now we loop until we find the required process...
; if not just return
invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE,ProcessList.th32ProcessID 
; snapshot of the current MODULE list
mov    SnapShothmod,eax

mov    ModuleList.dwSize,sizeof MODULEENTRY32
invoke Module32First,eax,addr ModuleList                   
; get first MODULE
jmp    GetRunningMods_Chk

GetRunningMods_Loop: ;find the modules associated with the process
invoke ExtractShortFileName,addr ModuleList.szModule,0
mov ebx,eax
invoke lstrcmpi,ebx,addr ModName ; compare it to see if we have found it
.if eax == 0;got ya!
mov eax,ModuleList.modBaseAddr
ret

.endif

invoke Module32Next,SnapShothmod,addr ModuleList                     
; get next process

GetRunningMods_Chk:
test   eax,eax
; if eax!=0 loop
jnz    GetRunningMods_Loop               

invoke Process32Next,snapprocs,addr ProcessList

GetRunningApps_Chk:
test   eax,eax
; if eax!=0 loop
jnz    GetRunningApps_Loop               

; close snapshot handles
invoke   CloseHandle,SnapShothmod                       
  invoke   CloseHandle,snapprocs

                mov eax,-1; damn cant find it <<<
ret

CheckForProc ENDP


end start