Feature possible?
Feature possible?
Hello.
Just two little questions. Is there something to get the base address of a loaded dll? Mayby the base address of a specified section?
The address of the loaded dll changes everytime it loads.
Second.:
Would be great, to have a function to find a process by process name. Somthing like the
FindWindow(nil, 'ID´s')
But for FindProcess('calc.exe')
I would like to do something like
test1 := FindProcess('calc.exe');
GetWindowThreadProcessId(Test1,@PID);
HND := OpenProcess(PROCESS_ALL_ACCESS,False,PID);
Thanks for your help.
Greetings
Shadow110
Just two little questions. Is there something to get the base address of a loaded dll? Mayby the base address of a specified section?
The address of the loaded dll changes everytime it loads.
Second.:
Would be great, to have a function to find a process by process name. Somthing like the
FindWindow(nil, 'ID´s')
But for FindProcess('calc.exe')
I would like to do something like
test1 := FindProcess('calc.exe');
GetWindowThreadProcessId(Test1,@PID);
HND := OpenProcess(PROCESS_ALL_ACCESS,False,PID);
Thanks for your help.
Greetings
Shadow110
Re: Feature possible?
First of all you should specify a specific image base address for your own dlls to avoid relocations. That speeds up the loading process and lets the address stay more constant.shadow110 wrote:Is there something to get the base address of a loaded dll? Mayby the base address of a specified section?
The address of the loaded dll changes everytime it loads.
What do you mean with "get the base address"? Do you want to get the actual base address at which the dll was loaded? Then simply use GetModuleHandle('dll'). Or do you mean the base address which the dll would like to be loaded at? Then use this:
Code: Select all
uses madTools;
function GetPreferredBaseAddress(module: dword) : pointer;
var nh : PImageNtHeaders;
begin
nh := GetImageNtHeaders(module);
if nh <> nil then
dword(result) := module + nh^.OptionalHeader.ImageBase
else
result := nil;
end;
It's already there:shadow110 wrote:Would be great, to have a function to find a process by process name.
Process('calc.exe');
Hello.
Thanks for the hint. Now it works with:
I need the PID from the process. Can this be done easier?
For the dll question...
I need to get the base address of a dll another process loaded.. I would like to write a tool, which can show me the base address of kernel32.dll which is loaded from calc.exe (example) Would be great, if I could read the base address of each section of kernel32.dll.
Greetings
Shadow110
Thanks for the hint. Now it works with:
Code: Select all
var
proc:Ihandle;
test:cardinal;
test2:integer;
begin
proc := process('calc.exe').Handle;
test := proc.Handle;
test2 := ProcessHandleToid(test);
end
For the dll question...
I need to get the base address of a dll another process loaded.. I would like to write a tool, which can show me the base address of kernel32.dll which is loaded from calc.exe (example) Would be great, if I could read the base address of each section of kernel32.dll.
Greetings
Shadow110
Much easier:shadow110 wrote:I need the PID from the process. Can this be done easier?
pid := Process('calc.exe').ID;
If you're really only talking about kernel32 you can assume that it behaves identical to your own process. kernel32 is the very system dll in win9x. And it's the 2nd most important system dll in the NT family. I've never ever seen kernel32 being relocated.shadow110 wrote:I need to get the base address of a dll another process loaded.. I would like to write a tool, which can show me the base address of kernel32.dll which is loaded from calc.exe (example) Would be great, if I could read the base address of each section of kernel32.dll.
But if really *must* check for it in another process you can use this:
kernel32calcHandle := Process('calc.exe').Module('kernel32.dll').Handle;
P.S: Getting the sections is a bit more complicated. You can use this:
After that the image nt headers of calc's kernel32 should be stored in "nh".
Code: Select all
var nh : TImageNtHeaders;
pnh : PImageNtHeaders;
begin
with Process('calc.exe') do
if IsValid then begin
pnh := Module('kernel32').ImageNtHeaders;
ReadMemory(pnh^, nh, sizeOf(nh));
end;
Hello.
Thanks for the great help.
works very well.
But i don´t understand the other code you posted...
How can I convert nh to an integer or string, to show it within my program.
I need the same thing like:
Something like:
Main Programm / DLL at 00400000
.Text at 004001000
.Data at 004005000
Greetings
Alex
Thanks for the great help.
Code: Select all
kernel32calcHandle := Process('calc.exe').Module('kernel32.dll').Handle;
But i don´t understand the other code you posted...
Code: Select all
var nh : TImageNtHeaders;
pnh : PImageNtHeaders;
begin
with Process('calc.exe') do
if IsValid then begin
pnh := Module('kernel32').ImageNtHeaders;
ReadMemory(pnh^, nh, sizeOf(nh));
end;
I need the same thing like:
Code: Select all
kernel32calcHandle := Process('calc.exe').Module('kernel32.dll').Handle;
Main Programm / DLL at 00400000
.Text at 004001000
.Data at 004005000
Greetings
Alex
The code I posted just shows you how to get the image nt header. That's just the first step to get the section offsets. I'm sorry, but I don't have the time to do the whole work for you. You know now how to get the image nt headers of another module in another process. The rest is up to you. It should not be too difficult now, if you know how the PE format looks like.