Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page ReadProcessMemory etc in VB6
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #6  
Old 01-06-2007, 03:47
JoeStewart
 
Posts: n/a
The loaded image's base address can be found in the PEB. You can get the PEB's base address by calling NtQueryInformationProcess with the PROCESS_BASIC_INFORMATION constant. The information you want is a 32-bit value stored at offset 8 from the PEB base address. There are plenty of examples of this in C, not too many in VB I can find for you. Have a look at:

http://www.vbstreets.ru/VB/Articles/66404.aspx

You'll want to follow the same technique, calling NtQueryInformationProcess to get the PEB base, then use ReadProcessMemory to read 4 bytes from PBI.PebBaseAddress + 8 and that's your base address to read the process image from virtual memory.
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 23:59.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )