Get Base Address of Process

Get base address of process

If you want to get the virtual address within the other process's address space, you can do that like so:

1. Open the process using OpenProcess -- if successful, the value returned is a handle to the process, which is just an opaque token used by the kernel to identify a kernel object. Its exact integer value (0x5c in your case) has no meaning to userspace programs, other than to distinguish it from other handles and invalid handles.
2. Call GetProcessImageFileName to get the name of the main executable module of the process.
3. Use EnumProcessModules to enumerate the list of all modules in the target process.
4. For each module, call GetModuleFileNameEx to get the filename, and compare it with the executable's filename.
5. When you've found the executable's module, call GetModuleInformation to get the raw entry point of the executable.

This will give you the virtual address, but there's not a whole lot you can do with it since it's not mapped into your current process's address space.

How to get the base address of a process in C++ Internally?

Use GetModuleHandler. Pass in NULL, like this:

GetModuleHandler(NULL);

It will return the handle for the current running module (the .exe), which is actually its base address.

In case you want to know the base address of a different (loaded) module, like a DLL, then just pass its name.

How would I get the base address of a process and edit that pointer with it?

The address that begins with 0x is the Hex value you are referring to which you can obtain by with a suffix like BaseAddress.ToString("x8")

Output: The process's main module's base address is: 0x00a80000

---

Snippet: Retrieves Base Address of every module associated with the Notepad Process and prints Main Modules Base address in Hex representation

using (Process myProcess = new Process())
{
   ProcessStartInfo myProcessStartInfo = new ProcessStartInfo("notepad.exe");
   myProcess.StartInfo = myProcessStartInfo;
   myProcess.Start();
   System.Threading.Thread.Sleep(1000);
   ProcessModule myProcessModule;

   Console.WriteLine("Base addresses of the modules associated "+"with 'notepad' are:");
   for (int i = 0; i < myProcess.Modules.Count; i++)
   {
      myProcessModule = myProcess.Modules[i];
      Console.WriteLine(myProcessModule.ModuleName + " : " + (IntPtr)myProcessModule.BaseAddress);
   }

   Console.WriteLine("The process's main module's base address is: 0x"+myProcess.MainModule.BaseAddress.ToString("x8"));
   myProcess.CloseMainWindow();
}

Golang Calculate address of another process memory based on process handle and offset

In order to find address and read value of another process, you must calculate it, based on offsets and base address of process. Cheat engine shows reading address value operation as [hex + hex] -> address in pointer editor. So everytime you see [address + offset] -> next address, it means sum address and offset as hex (16) and read value at this address in process memory. Retrieved value is the next address, which you should use to get the following one. Repeat this until you get to the last offset, then just sum address and offset without reading value. The resulted address is where the value stored.

How to find base address? Although it may seem to be constant in Cheat Engine (if you put 0 instead of 02518790, you'll get the same address each time you restart process), it's just a virtual address, don't use it. Instead, use winapi to iterate through all modules of the specified process using EnumProcessModules. You can find PID by searching in running apps by window's title. Compare module's filename with GetModuleFilenameExW. When you found the module with constant filename ("UE4Game-Win64-Shipping.exe" in your case), use GetModuleInformation to retrieve LpBaseOfDll. Not EntryPoint, which is not base address.

Now that you have LpBaseOfDll, add constant offset to it (02518790) and read value at resulted address. This is your starting address that you should use to run the loop and add offsets. So the "plus operation" labelled on image is sum of LpBaseOfDll and offset. In fact, Cheat Engine accepts just executable name without offset, try putting "kernel32.dll" into address field :)

To interact with virtual memory, you must use windows native api (kernel32.dll). As in any other language, Go has a wrapper for winapi. You can choose between classic hardcoded "golang.org/x/sys/windows", modern and experimental "github.com/Andoryuuta/kiwi", but I would recommend you to use "github.com/0xrawsec/golang-win32/win32/kernel32".

The code below demonstrates how to get base address. I published GitHub gist with full code that can find process ID by name and read float32 values.

package main

import (
    "fmt"
    "path/filepath"

    "github.com/0xrawsec/golang-win32/win32"
    kernel32 "github.com/0xrawsec/golang-win32/win32/kernel32"
    windows "golang.org/x/sys/windows"
)

func memoryReadInit(pid uint32) (int64, bool) {
    win32handle, _ := kernel32.OpenProcess(0x0010 | windows.PROCESS_VM_READ | windows.PROCESS_QUERY_INFORMATION, win32.BOOL(0), win32.DWORD(pid))
    moduleHandles, _ := kernel32.EnumProcessModules(win32handle)
    for _, moduleHandle := range moduleHandles {
        s, _ := kernel32.GetModuleFilenameExW(win32handle, moduleHandle)
        targetModuleFilename := "UE4Game-Win64-Shipping.exe"
        if(filepath.Base(s) == targetModuleFilename) {
            info, _ := kernel32.GetModuleInformation(win32handle, moduleHandle)
            return int64(info.LpBaseOfDll), true
        }
    }
    return 0, false
}

func main() {
    var pid uint32 = 0x38E4 // put PID here, you can find it in Cheat Engine process list
    baseAddress, _ := memoryReadInit(pid)
    fmt.Println("Base address is", baseAddress)
}

Finding the baseaddress of a running process

I did manage to find a solution for python 3.5 32-bit and 64 bit.

For 32 bit I used psutil and pymem (as already suggested on this question).:

import psutil
import pymem

my_pid = None
pids = psutil.pids()
for pid in pids:
    ps = psutil.Process(pid)
    # find process by .exe name, but note that there might be more instances of solitaire.exe
    if "solitaire.exe" in ps.name():
        my_pid = ps.pid
        print( "%s running with pid: %d" % (ps.name(), ps.pid) )

base_address = pymem.process.base_address(pid)

For 64 bit pymem was not working. I found suggestions using win32api.GetModuleHandle(fileName) but it required win32api.LoadLibrary(fileName) which was not using an already running process.

Therefore I found this suboptimal solution, since this returns a whole list of possibilities:

import win32process
import win32api

# first get pid, see the 32-bit solution

PROCESS_ALL_ACCESS = 0x1F0FFF
processHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, my_pid)
modules = win32process.EnumProcessModules(processHandle)
processHandle.close()
base_addr = modules[0] # for me it worked to select the first item in list...

Finding the base address after creating suspended process

You never set context.ContextFlags, you must set it to CONTEXT_INTEGER before calling GetThreadContext().

Here's a sample code:

#if defined(_WIN64)
    WOW64_CONTEXT context;
    memset(&context, 0, sizeof(WOW64_CONTEXT));
    context.ContextFlags = CONTEXT_INTEGER;
    Wow64GetThreadContext(pi.hThread, &context);
#else   
    CONTEXT context;
    memset(&context, 0, sizeof(CONTEXT));
    context.ContextFlags = CONTEXT_INTEGER;
    GetThreadContext(pi.hThread, &context);
#endif

Taken from hasherezade's excellent runpe implementation

---

Related Topics