Feature possible?

contains all delphi packages mentioned below
Post Reply
shadow110
Posts: 8
Joined: Tue Apr 27, 2004 6:26 pm

Feature possible?

Post by shadow110 »

Hello.

Just two little questions. Is there something to get the base address of a loaded dll? Mayby the base address of a specified section?
The address of the loaded dll changes everytime it loads.

Second.:

Would be great, to have a function to find a process by process name. Somthing like the

FindWindow(nil, 'ID´s')
But for FindProcess('calc.exe')

I would like to do something like
test1 := FindProcess('calc.exe');
GetWindowThreadProcessId(Test1,@PID);
HND := OpenProcess(PROCESS_ALL_ACCESS,False,PID);





Thanks for your help.

Greetings
Shadow110
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Feature possible?

Post by madshi »

shadow110 wrote:Is there something to get the base address of a loaded dll? Mayby the base address of a specified section?
The address of the loaded dll changes everytime it loads.
First of all you should specify a specific image base address for your own dlls to avoid relocations. That speeds up the loading process and lets the address stay more constant.

What do you mean with "get the base address"? Do you want to get the actual base address at which the dll was loaded? Then simply use GetModuleHandle('dll'). Or do you mean the base address which the dll would like to be loaded at? Then use this:

Code: Select all

uses madTools;

function GetPreferredBaseAddress(module: dword) : pointer;
var nh : PImageNtHeaders;
begin
  nh := GetImageNtHeaders(module);
  if nh <> nil then
    dword(result) := module + nh^.OptionalHeader.ImageBase
  else
    result := nil;
end;
shadow110 wrote:Would be great, to have a function to find a process by process name.
It's already there:

Process('calc.exe');
shadow110
Posts: 8
Joined: Tue Apr 27, 2004 6:26 pm

Post by shadow110 »

Hello.

Thanks for the hint. Now it works with:

Code: Select all

var
proc:Ihandle;
test:cardinal;
test2:integer;
begin
proc := process('calc.exe').Handle;
test := proc.Handle;
test2 := ProcessHandleToid(test);
end
I need the PID from the process. Can this be done easier?

For the dll question...
I need to get the base address of a dll another process loaded.. I would like to write a tool, which can show me the base address of kernel32.dll which is loaded from calc.exe (example) Would be great, if I could read the base address of each section of kernel32.dll.

Greetings
Shadow110
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

shadow110 wrote:I need the PID from the process. Can this be done easier?
Much easier:

pid := Process('calc.exe').ID;
shadow110 wrote:I need to get the base address of a dll another process loaded.. I would like to write a tool, which can show me the base address of kernel32.dll which is loaded from calc.exe (example) Would be great, if I could read the base address of each section of kernel32.dll.
If you're really only talking about kernel32 you can assume that it behaves identical to your own process. kernel32 is the very system dll in win9x. And it's the 2nd most important system dll in the NT family. I've never ever seen kernel32 being relocated.

But if really *must* check for it in another process you can use this:

kernel32calcHandle := Process('calc.exe').Module('kernel32.dll').Handle;
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

P.S: Getting the sections is a bit more complicated. You can use this:

Code: Select all

var nh : TImageNtHeaders;
    pnh : PImageNtHeaders;
begin
  with Process('calc.exe') do
    if IsValid then begin
      pnh := Module('kernel32').ImageNtHeaders;
      ReadMemory(pnh^, nh, sizeOf(nh));
    end;
After that the image nt headers of calc's kernel32 should be stored in "nh".
shadow110
Posts: 8
Joined: Tue Apr 27, 2004 6:26 pm

Post by shadow110 »

Hello.

Thanks for the great help.

Code: Select all

kernel32calcHandle := Process('calc.exe').Module('kernel32.dll').Handle;
works very well.

But i don´t understand the other code you posted...

Code: Select all

var nh : TImageNtHeaders; 
    pnh : PImageNtHeaders; 
begin 
  with Process('calc.exe') do 
    if IsValid then begin 
      pnh := Module('kernel32').ImageNtHeaders; 
      ReadMemory(pnh^, nh, sizeOf(nh)); 
    end;
How can I convert nh to an integer or string, to show it within my program.
I need the same thing like:

Code: Select all

kernel32calcHandle := Process('calc.exe').Module('kernel32.dll').Handle;
Something like:

Main Programm / DLL at 00400000
.Text at 004001000
.Data at 004005000

Greetings
Alex
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

The code I posted just shows you how to get the image nt header. That's just the first step to get the section offsets. I'm sorry, but I don't have the time to do the whole work for you. You know now how to get the image nt headers of another module in another process. The rest is up to you. It should not be too difficult now, if you know how the PE format looks like.
shadow110
Posts: 8
Joined: Tue Apr 27, 2004 6:26 pm

Post by shadow110 »

Thanks for your help!
ou make already very much for the Delphi users!

I don´t want you to code to whole thing for me. *G

I just won´t to learn. I will take a closer look on the nt headers.

Greetings
Alex
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

My recommendation: First try to find the sections in your own process. When you succeeded with that, move it to the other process.
Post Reply