Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Finding base address in a remote process
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #3  
Old 11-01-2007, 16:09
taos's Avatar
taos taos is offline
The Art Of Silence
  
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 137 Times in 36 Posts
taos Reputation: 54
Quote:
Originally Posted by yaa
I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.
Code:
//
// Gets the address of the entry point routine given a
// handle to a process and its primary thread.
//
DWORD GetProcessEntryPointAddress( HANDLE hProcess, HANDLE hThread )
{
    CONTEXT             context;
    LDT_ENTRY           entry;
    TEB                 teb;
    PEB                 peb;
    DWORD               read;
    DWORD               dwFSBase;
    DWORD               dwImageBase, dwOffset;
    DWORD               dwOptHeaderOffset;
    optional_header     opt;
    
    //
    // get the current thread context
    //
    context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
    GetThreadContext( hThread, &context );
    
    //
    // use the segment register value to get a pointer to
    // the TEB
    //
    GetThreadSelectorEntry( hThread, context.SegFs, &entry );
    dwFSBase = ( entry.HighWord.Bits.BaseHi << 24 ) |
                     ( entry.HighWord.Bits.BaseMid << 16 ) |
                     ( entry.BaseLow );
    
    //
    // read the teb
    //
    ReadProcessMemory( hProcess, (LPCVOID)dwFSBase,
                       &teb, sizeof( TEB ), &read );
    
    //
    // read the peb from the location pointed at by the teb
    //
    ReadProcessMemory( hProcess, (LPCVOID)teb.Peb,
                       &peb, sizeof( PEB ), &read );
    
    //
    // figure out where the entry point is located;
    //
    dwImageBase = (DWORD)peb.ImageBaseAddress;
    ReadProcessMemory( hProcess, (LPCVOID)( dwImageBase + 0x3c ),
                       &dwOffset, sizeof( DWORD ), &read );
    
    dwOptHeaderOffset = ( dwImageBase + dwOffset + 4 + sizeof( coff_header ) );
    ReadProcessMemory( hProcess, (LPCVOID)dwOptHeaderOffset,
                       &opt, sizeof( optional_header ), &read );
    
    return ( dwImageBase + opt.entry_point );
}
More usefull information
hppp://www.codeproject.com/useritems/selfdel.asp
__________________
omnino lo qui quae que quod somos es pulvis en el ventus.
TAOS

-The opposite of courage in our society is not cowardice, but conformity-
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Finding API Address britedream General Discussion 5 10-05-2006 21:28
Can we hook some func in another process then change return address? Teerayoot General Discussion 5 09-21-2004 11:12


All times are GMT +8. The time now is 02:59.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )