how to get the address Process?

[RHL]

Hello! :)
good to ask for help because I want to know how I can find the memory address of a process.
I think it is called "baseaddress." just wanted to find the address where the structure begins PE which begins the first bytes "MZ" and thus add an offset to
obtain a data.

please help and searched more than two full days and not found.
API with which I succeed?

[dedndave]

are you talking about finding the header section or about finding the address of a routine ?
is the routine in your code, or in some external module ?
what, exactly, do you want the address of ?

[dedndave]

in this thread, you may obtain the pe/coff specification in PDF form
http://www.masm32.com/board/index.php?topic=13135.0
it describes how to find the different sections

[bomz]

offset 4194304- MZ always hear

[jj2007]

searched more than two full days and not found.

... and no help from your friends at http://foro.elhacker.net  ::)

So what do you want to do with that address, Raul?

[bomz]

read all memory of your procces in write it to file you see where MZ

[bomz]

4194304 - offset of MZђ

.386

.model flat, stdcall
option casemap :none

include \MASM32\INCLUDE\windows.inc
include \MASM32\INCLUDE\user32.inc
include \MASM32\INCLUDE\kernel32.inc
includelib \MASM32\LIB\user32.lib
includelib \MASM32\LIB\kernel32.lib

.data
MyFile db "My.txt",0

.data?
bytesWrite   dd ?

.code
start:               ;4198400 - offset start code
invoke CreateFile,addr MyFile,GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
.if eax!=INVALID_HANDLE_VALUE
push eax
invoke WriteFile,eax,4194304,10240, addr bytesWrite,NULL
pop eax
invoke CloseHandle, eax
.endif
invoke ExitProcess,0
end start

[qWord]

I think it is called "baseaddress." just wanted to find the address where the structure begins PE which begins the first bytes "MZ" and thus add an offset to

The module handle is the address of the PE-Header: GetModuleHandle()

[donkey]

offset 4194304- MZ always hear

That is not the case, beginning with Windows Vista all load addresses can be random. ASLR (address space layout randomization) will relocate several key base addresses such as the address of the executable image and where DLLs are loaded. Beginning with Windows 7 and Link 10.0 it is enabled by default, I have found that in Win7-x64 using MASM I rarely get an executable loading at the same address.

Also, locating MZ is the first step in code injection and that topic is verbotten here so you should tread lightly or a mod will shut down this thread.

[donkey]

Also, beginning with Windows XP SP2 key pointers can be encoded (including system pointers) further confusing any attempt to locate specific entry points.

[RHL]

Hi!

@dedndave
I find the 'baseaddress' of a process in execution.
for example notepad.exe process.
begins exactly where MSDOS header ('MZ')

@jj2007
Yes, I am:)
I do not really like this forum:) would like to help and I'll do when I can:)
family makes me your nick

@qWord
if, and seen it used that function to get what I want
but he and last name of a process and my return value is zero.
for example to make the process memory address notepad, returns me zero  :(

@donkey
no, no.
my goal is not that.
I just want to get the address of the header, then add an offset and get the address of the data section, then get a figure of that section:)



thanks all!

[RHL]

Test my code is this:

Code Select Expand

.386
.model flat,stdcall

include windows.inc
include kernel32.inc

includelib kernel32.lib


.data
process DB 'notepad.exe',0 ; process in execute
address DD 0
.code
inicio:


invoke GetModuleHandle,addr process
; EAX = ?
mov address,eax
xor edx,edx
mov edx,address

end inicio

but the result is zero :/

[donkey]

You have what appears to be a misunderstanding of protected mode. First off GetModuleHandle only works with modules loaded by your process, it does not and cannot work on external processes. Second in protected mode all processes run in their own address space, without taking into account ASLR, they will all have the exact same base address but you will not be able to examine that address except using OpenProccess/ReadProcessMemory passing the process id of Notepad.exe. To get the PID you will probably have to walk the process list using the ToolHelp or PSAPI api. Again there are restrictions, for example the access permisssions granted by the target process. This is advanced programming though there are many examples here of how to do it, there is an example on my website called LVDesktop9xNt that demonstrates the appropriate APIs.

By the way the xor edx,edx isn't necessary, it simply set the register to zero and the next instruction overwrites it.

[bomz]

beginning with Windows Vista all load addresses can be random

May be it -
mov eax, Start
sub eax, 4096  ?????????

This address - MZh offset have not any sence. The main - two copy of one applications have the same offset to the same variable??? under XP Vista 7 NT?

[bomz]

I try to decide what most correct method two realize such thing:

One copy of application allowed. But when second (third....) copy run before it closed it send to running (first) copy it command parametr. For this common memory need