Finding base address in a remote process

Hello,

I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.

I imagine I could always do an OpenProcess on the remote process and then start reading its memory looking for the dos header structure or any well known sequence of bytes ....

Is there anything better than this approach to find the IAT in a remote/external process?

Thanks.


Regards,

You can use EnumProcessModules() to retrive the existing modules in the remote process. The first module is the executable file.

[taos]

Quote:

Originally Posted by yaa

I was wondering how I can retrieve the base address of an external process. My need it to get to its IAT and I suppose the base address could be a good starting point but ... I was not able to find any useful piece of code around.

Code:

//
// Gets the address of the entry point routine given a
// handle to a process and its primary thread.
//
DWORD GetProcessEntryPointAddress( HANDLE hProcess, HANDLE hThread )
{
    CONTEXT             context;
    LDT_ENTRY           entry;
    TEB                 teb;
    PEB                 peb;
    DWORD               read;
    DWORD               dwFSBase;
    DWORD               dwImageBase, dwOffset;
    DWORD               dwOptHeaderOffset;
    optional_header     opt;
    
    //
    // get the current thread context
    //
    context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
    GetThreadContext( hThread, &context );
    
    //
    // use the segment register value to get a pointer to
    // the TEB
    //
    GetThreadSelectorEntry( hThread, context.SegFs, &entry );
    dwFSBase = ( entry.HighWord.Bits.BaseHi << 24 ) |
                     ( entry.HighWord.Bits.BaseMid << 16 ) |
                     ( entry.BaseLow );
    
    //
    // read the teb
    //
    ReadProcessMemory( hProcess, (LPCVOID)dwFSBase,
                       &teb, sizeof( TEB ), &read );
    
    //
    // read the peb from the location pointed at by the teb
    //
    ReadProcessMemory( hProcess, (LPCVOID)teb.Peb,
                       &peb, sizeof( PEB ), &read );
    
    //
    // figure out where the entry point is located;
    //
    dwImageBase = (DWORD)peb.ImageBaseAddress;
    ReadProcessMemory( hProcess, (LPCVOID)( dwImageBase + 0x3c ),
                       &dwOffset, sizeof( DWORD ), &read );
    
    dwOptHeaderOffset = ( dwImageBase + dwOffset + 4 + sizeof( coff_header ) );
    ReadProcessMemory( hProcess, (LPCVOID)dwOptHeaderOffset,
                       &opt, sizeof( optional_header ), &read );
    
    return ( dwImageBase + opt.entry_point );
}

More usefull information
hppp://www.codeproject.com/useritems/selfdel.asp

[ahmadmansoor]

Nice One Taos . is there Code In VB6 pls
many thanks for u ......

[ricnar456]

GetModuleHandleA i think will be useful, look when is called and see in EAX the value when return from api.

ricnar

ricnar456, your post made me wonder, how can you discover if a routine is a function (thus returns a value) or is a procedure (returns nothing)? Is there any to understand it?

yaa

[taos]

Simple, look at API prototypes. GetmodulehandleA is an API function.

taos

the meaning of my question was, if there is a way, at runtime, to discover if a routine is a function or a procedure. My knowledge of assembly is really lousy but I can't find any clue to answer my question based on registers or flags. I mean, EAX could have changed value during a routine's execution without it meaning that it is a return value.

Am I right or am I missing something?


yaa

[taos]

Quote:

Originally Posted by yaa

I mean, EAX could have changed value during a routine's execution without it meaning that it is a return value.

Am I right or am I missing something?

Not exactly, any procedure must push all generic registers and before to return pop it so if they are procedures, you must have the same values in generic registers (EAX,EDX,etc...) but not in stack register and others.

It's more easy to test it, use sleep procedure api (Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long) ) and messagebeep api function (Declare Function MessageBeep Lib "user32.dll" (ByVal wType As Long) As Long), in a simple asm program.Debug with olly and follow generic registers before and after sleep and messagebeep APIs.

I tested this in a small C app, with a function that returns a value and one that returns void. I can't in any way distinguish the two cases. btw, EAX is not among the registers whose values a C programs expects each routine will maintain so ...

yaa

[Nacho_dj]

In fact, in assembler instructions it is quite difficult to decide if you are facing a procedure or a function.

But you could follow this approach: if the EAX value after the return of the CALL is used immediately in the code, it should be a function, and if the EAX value is ignored after that return, you could think of it as a procedure...

Normally, this should work if you are reversing code to a higher level of programming.

Cheers

Nacho_dj

Yes, if the application is written in a high level language ... but if it is not ...

yaa