high6 Posted April 16, 2009 Posted April 16, 2009 Is there a way to get the imagebase of the assembly in memory with the Assembly class?
Malakai Posted May 2, 2009 Posted May 2, 2009 You can P/Invoke the PSAPI.dll and use GetModuleInformation [StructLayout(LayoutKind.Sequential)] public struct MODULEINFO { public IntPtr lpBaseOfDll; public uint SizeOfImage; public IntPtr EntryPoint; } [DllImport("psapi.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, uint countBytes);That's from Blackstorm's RE framework.
high6 Posted May 4, 2009 Author Posted May 4, 2009 Problem is, how do you get the Assembly's "hModule"?
revert Posted May 4, 2009 Posted May 4, 2009 foreach (ProcessModule mod in Process.GetCurrentProcess().Modules) { if (mod.ModuleName == "MyModule") { MessageBox.Show(mod.BaseAddress.ToString("X8")); } }Standard .NET code. You just need to include "using System.Diagnostics".
high6 Posted May 4, 2009 Author Posted May 4, 2009 The assembly wasn't loaded with LoadLibrary though so it isn't in the module list.At this point I am probably gonna look at SOS.dll's dumpdomain function.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now