Hello! :)
good to ask for help because I want to know how I can find the memory address of a process.
I think it is called "baseaddress." just wanted to find the address where the structure begins PE which begins the first bytes "MZ" and thus add an offset to
obtain a data.
please help and searched more than two full days and not found.
API with which I succeed?
are you talking about finding the header section or about finding the address of a routine ?
is the routine in your code, or in some external module ?
what, exactly, do you want the address of ?
in this thread, you may obtain the pe/coff specification in PDF form
http://www.masm32.com/board/index.php?topic=13135.0
it describes how to find the different sections
offset 4194304- MZ always hear
Quote from: RHL on December 15, 2011, 09:18:47 AM
searched more than two full days and not found.
... and no help from your friends at http://foro.elhacker.net (http://foro.elhacker.net/programacion_visual_basic/sources_code_rotbits_byte_to_byte-t342467.0.html) ::)
So what do you want to do with that address, Raul?
read all memory of your procces in write it to file you see where MZ
4194304 - offset of MZђ
Quote.386
.model flat, stdcall
option casemap :none
include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
includelib \MASM32\LIB\user32.lib
includelib \MASM32\LIB\kernel32.lib
.data
MyFile db "My.txt",0
.data?
bytesWrite dd ?
.code
start: ;4198400 - offset start code
invoke CreateFile,addr MyFile,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
.if eax!=INVALID_HANDLE_VALUE
push eax
invoke WriteFile,eax,4194304,10240, addr bytesWrite,NULL
pop eax
invoke CloseHandle, eax
.endif
invoke ExitProcess,0
end start
Quote from: RHL on December 15, 2011, 09:18:47 AMI think it is called "baseaddress." just wanted to find the address where the structure begins PE which begins the first bytes "MZ" and thus add an offset to
The module handle is the address of the PE-Header: GetModuleHandle() (http://msdn.microsoft.com/en-us/library/windows/desktop/ms683199(v=vs.85).aspx)
Quote from: bomz on December 15, 2011, 09:31:23 AM
offset 4194304- MZ always hear
That is not the case, beginning with Windows Vista all load addresses can be random. ASLR (address space layout randomization) will relocate several key base addresses such as the address of the executable image and where DLLs are loaded. Beginning with Windows 7 and Link 10.0 it is enabled by default, I have found that in Win7-x64 using MASM I rarely get an executable loading at the same address.
Also, locating MZ is the first step in code injection and that topic is verbotten here so you should tread lightly or a mod will shut down this thread.
Also, beginning with Windows XP SP2 key pointers can be encoded (including system pointers) further confusing any attempt to locate specific entry points.
Hi!
@dedndave
I find the 'baseaddress' of a process in execution.
for example notepad.exe process.
begins exactly where MSDOS header ('MZ')
@jj2007
Yes, I am:)
I do not really like this forum:) would like to help and I'll do when I can:)
family makes me your nick
@qWord
if, and seen it used that function to get what I want
but he and last name of a process and my return value is zero.
for example to make the process memory address notepad, returns me zero :(
@donkey
no, no.
my goal is not that.
I just want to get the address of the header, then add an offset and get the address of the data section, then get a figure of that section:)
thanks all!
Test my code is this:
.386
.model flat,stdcall
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
process DB 'notepad.exe',0 ; process in execute
address DD 0
.code
inicio:
invoke GetModuleHandle,addr process
; EAX = ?
mov address,eax
xor edx,edx
mov edx,address
end inicio
but the result is zero :/
You have what appears to be a misunderstanding of protected mode. First off GetModuleHandle only works with modules loaded by your process, it does not and cannot work on external processes. Second in protected mode all processes run in their own address space, without taking into account ASLR, they will all have the exact same base address but you will not be able to examine that address except using OpenProccess/ReadProcessMemory passing the process id of Notepad.exe. To get the PID you will probably have to walk the process list using the ToolHelp or PSAPI api. Again there are restrictions, for example the access permisssions granted by the target process. This is advanced programming though there are many examples here of how to do it, there is an example on my website called LVDesktop9xNt that demonstrates the appropriate APIs.
By the way the xor edx,edx isn't necessary, it simply set the register to zero and the next instruction overwrites it.
Quotebeginning with Windows Vista all load addresses can be random
May be it -
mov eax, Start
sub eax, 4096 ?????????
This address - MZh offset have not any sence. The main - two copy of one applications have the same offset to the same variable??? under XP Vista 7 NT?
I try to decide what most correct method two realize such thing:
One copy of application allowed. But when second (third....) copy run before it closed it send to running (first) copy it command parametr. For this common memory need
Quote from: bomz on December 15, 2011, 09:18:09 PM
Quotebeginning with Windows Vista all load addresses can be random
May be it -
mov eax, Start
sub eax, 4096 ?????????
This is a valid method to get the base address: GetModuelHandle[Ex]()!
Quote from: bomz on December 15, 2011, 09:18:09 PM
This address - MZh offset have not any sence.
'MZ' is the DOS-Header's signature (first two bytes) and not a address.
Quote from: bomz on December 15, 2011, 09:18:09 PM
The main - two copy of one applications have the same offset to the same variable??? under XP Vista 7 NT?
as donkey said, when ASLR is enabled, the modules base address varies.
So correct sending data beetwen application possible only in allocate common memory in context of first application and sending it's handle?.
Is it possible to free this memmory from any copy of application?
Quote from: bomz on December 15, 2011, 10:01:24 PM
So correct sending data beetwen application possible only in allocate common memory in context of first application and sending it's handle?.
Is it possible to free this memmory from any copy of application?
You can't share 'common' memory handles between processes, because each process has it own virtual address space.
You may read this: Interprocess Communications (http://msdn.microsoft.com/en-us/library/windows/desktop/aa365574(v=vs.85).aspx)
Pipe
I get the impression that we are being fed bullshit here as the reasons given so far for pursuing this information are not making sense. I am closing this topic for being in violation of the forum rules.
Contact admin if you have a better description of why you are looking for this information.