获取进程的基地址 [英] Get base address of process
问题描述
我想要访问某个进程的某个地址。但是,我需要先获得进程的基地址。我使用一个工具,看看我是否真的做到正确。该工具显示我需要以下:app.exe+ 0x011F9B08 = 0x119F8300
I want to access a certain address of a process. But for that i need to get the base address of the process first. I'm using a tool to see if i'm actually doing it right. The tool shows i need the following: "app.exe"+0x011F9B08 = 0x119F8300
一个进程的基地址通过 OpenProcess()
,但是给我: 0x0000005c
结果。我不认为是对的吗?至少,不是我需要的。
I thought i could obtain the base address of a process through OpenProcess()
, but that gives me: 0x0000005c
as a result. I don't think that is right? Atleast, not what i need.
我认为我需要的基地址是: 0x119F8300 - 0x011F9B08 = 0x107FE7F8
I think the base address i need is: 0x119F8300 - 0x011F9B08 = 0x107FE7F8 <-- base?
这是我的代码:
hWindow = FindWindow(NULL, lpWindowName);
if(hWindow)
{
GetWindowThreadProcessId(hWindow, &dwProcId);
if(dwProcId != 0)
{
// hProcHandle -> 0x0000005c
hProcHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
}
else
{
return 0;
}
}
如何获取进程的基地址
推荐答案
如果要在其他进程的地址空间中获取虚拟地址 >,您可以这样做:
If you want to get the virtual address within the other process's address space, you can do that like so:
- 使用
OpenProcess
- 如果成功,返回的值是进程的句柄,它只是内核用来标识内核对象的不透明令牌。其确切的整数值(在您的情况下为0x5c)对用户空间程序没有意义,除了将其与其他句柄和无效句柄区分开来。 - 调用
GetProcessImageFileName
获取进程的主要可执行模块的名称。 - 使用
EnumProcessModules
枚举目标进程中所有模块的列表。 - 对于每个模块,调用
GetModuleFileNameEx
以获取文件名,并将其与可执行文件名进行比较。 - 当您找到可执行文件的模块时,调用
GetModuleInformation
以获取可执行文件的原始入口点。
- Open the process using
OpenProcess
-- if successful, the value returned is a handle to the process, which is just an opaque token used by the kernel to identify a kernel object. Its exact integer value (0x5c in your case) has no meaning to userspace programs, other than to distinguish it from other handles and invalid handles. - Call
GetProcessImageFileName
to get the name of the main executable module of the process. - Use
EnumProcessModules
to enumerate the list of all modules in the target process. - For each module, call
GetModuleFileNameEx
to get the filename, and compare it with the executable's filename. - When you've found the executable's module, call
GetModuleInformation
to get the raw entry point of the executable.
这将给你虚拟地址,但是你可以做的很多,因为它没有映射到当前进程的地址空间。
This will give you the virtual address, but there's not a whole lot you can do with it since it's not mapped into your current process's address space.
这篇关于获取进程的基地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!