flat assembler
Message board for the users of flat assembler.

Index > Windows > [HELP] - Get Base Address of Running Process

Author
Thread Post new topic Reply to topic
ctl3d32



Joined: 30 Dec 2009
Posts: 206
Location: Brazil
ctl3d32 28 Oct 2010, 03:02
Hi folks!

I'm trying to get base address of a runnig process, but can't make it work.

I know that, most of the times, the base address of a running process is 0x00400000

I don't want to assume that, in case it is not 0x00400000 for a given .exe.

I'm getting two erros in my attempt:
1. The base address is always returning 0x0 in VirtualQueryEX;
2. My .exe is not ending properly.

Could someone please help me?

P.S.: Edit constant "gamename" in .data section. It holds the name of the process i want the base address.

Thanks a lot,
ctl3d32


Description:
Download
Filename: GetBaseAddress.ASM
Filesize: 3.97 KB
Downloaded: 267 Time(s)

Post 28 Oct 2010, 03:02
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4353
Location: Now
edfed 28 Oct 2010, 10:51
the VIRTUAL base adress of a process is 400000h.
the paging makes it possible.
and to know exactlly the base adress of a programm, the easy way is to make this:

Code:
startofcode:
mov eax,$
    


but to know the real base adress, it is another Q.
Post 28 Oct 2010, 10:51
View user's profile Send private message Visit poster's website Reply with quote
b1528932



Joined: 21 May 2010
Posts: 287
b1528932 28 Oct 2010, 14:31
psapi can enum modules.

1. attach debugger
2. enum modules
3. do some work
4. detach debugger
Post 28 Oct 2010, 14:31
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 28 Oct 2010, 16:31
edfed wrote:
the VIRTUAL base adress of a process is 400000h.
Image base, perhaps? This is not set in stone, just a default for historical reasons (IIRC, low 4 MiB area is reserved for MS-DOS compatibility in Win9x): one can easily build PE with preferred load address, ImageBase, being zero; this PE can be successfully loaded if base relocations are present in it. You even don't have to bother with separate linking: take any fasm-compiled PE with base relocations and rebase it anywhere (editbin /rebase:base=base).

----8<----
ctl3d32,

If you won't mind some undocumented functions/structures, NtQueryInformationProcess() can be useful.
Post 28 Oct 2010, 16:31
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.