Finding base address in a remote process

Hello,

I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.

I imagine I could always do an OpenProcess on the remote process and then start reading its memory looking for the dos header structure or any well known sequence of bytes ....

Is there anything better than this approach to find the IAT in a remote/external process?

Thanks.


Regards,

You can use EnumProcessModules() to retrive the existing modules in the remote process. The first module is the executable file.

[taos]

Quote:

Originally Posted by yaa

I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.

Code:

//
// Gets the address of the entry point routine given a
// handle to a process and its primary thread.
//
DWORD GetProcessEntryPointAddress( HANDLE hProcess, HANDLE hThread )
{
    CONTEXT             context;
    LDT_ENTRY           entry;
    TEB                 teb;
    PEB                 peb;
    DWORD               read;
    DWORD               dwFSBase;
    DWORD               dwImageBase, dwOffset;
    DWORD               dwOptHeaderOffset;
    optional_header     opt;
    
    //
    // get the current thread context
    //
    context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
    GetThreadContext( hThread, &context );
    
    //
    // use the segment register value to get a pointer to
    // the TEB
    //
    GetThreadSelectorEntry( hThread, context.SegFs, &entry );
    dwFSBase = ( entry.HighWord.Bits.BaseHi << 24 ) |
                     ( entry.HighWord.Bits.BaseMid << 16 ) |
                     ( entry.BaseLow );
    
    //
    // read the teb
    //
    ReadProcessMemory( hProcess, (LPCVOID)dwFSBase,
                       &teb, sizeof( TEB ), &read );
    
    //
    // read the peb from the location pointed at by the teb
    //
    ReadProcessMemory( hProcess, (LPCVOID)teb.Peb,
                       &peb, sizeof( PEB ), &read );
    
    //
    // figure out where the entry point is located;
    //
    dwImageBase = (DWORD)peb.ImageBaseAddress;
    ReadProcessMemory( hProcess, (LPCVOID)( dwImageBase + 0x3c ),
                       &dwOffset, sizeof( DWORD ), &read );
    
    dwOptHeaderOffset = ( dwImageBase + dwOffset + 4 + sizeof( coff_header ) );
    ReadProcessMemory( hProcess, (LPCVOID)dwOptHeaderOffset,
                       &opt, sizeof( optional_header ), &read );
    
    return ( dwImageBase + opt.entry_point );
}

More usefull information
hppp://www.codeproject.com/useritems/selfdel.asp

[ahmadmansoor]

Nice One Taos . is there Code In VB6 pls
many thanks for u ......

[ricnar456]

GetModuleHandleA i think will be useful, look when is called and see in EAX the value when return from api.

ricnar

ricnar456, your post made me wonder, how can you discover if a routine is a function (thus returns a value) or is a procedure (returns nothing)? Is there any to understand it?

yaa

[taos]

Simple, look at API prototypes. GetmodulehandleA is an API function.

taos

the meaning of my question was, if there is a way, at runtime, to discover if a routine is a function or a procedure. My knowledge of assembly is really lousy but I can't find any clue to answer my question based on registers or flags. I mean, EAX could have changed value during a routine's execution without it meaning that it is a return value.

Am I right or am I missing something?


yaa

[taos]

Quote:

Originally Posted by yaa

I mean, EAX could have changed value during a routine's execution without it meaning that it is a return value.

Am I right or am I missing something?

Not exactly, any procedure must push all generic registers and before to return pop it so if they are procedures, you must have the same values in generic registers (EAX,EDX,etc...) but not in stack register and others.

It's more easy to test it, use sleep procedure api (Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long) ) and messagebeep api function (Declare Function MessageBeep Lib "user32.dll" (ByVal wType As Long) As Long), in a simple asm program.Debug with olly and follow generic registers before and after sleep and messagebeep APIs.