January 8, 20178 yr Parse the PE header just like you would normally if you read the file from disk. Just use the memory location of the start of the target instead. (GetModuleHandle can get you the base, or use the needed iteration API's if the target is remote etc. for example CreateToolhelp32Snapshot / Process32First / Process32Next / Module32First / Module32Next)
January 8, 20178 yr Author excuse me it is possible to explain about it? i have the app in disk it is possible to calculation address? if yes, how? Edited January 8, 20178 yr by Avenger
January 8, 20178 yr Load app / dll to memory e.g. with CreateFileMapping()+MapViewOfFile() or directly loading in a memory malloced range. You get the first section in header in the following way: IMAGE_DOS_HEADER* pDOSHeader = (IMAGE_DOS_HEADER*)address; IMAGE_NT_HEADERS* pNTHeaders = (IMAGE_NT_HEADERS*)((BYTE*)pDOSHeader + pDOSHeader->e_lfanew); IMAGE_SECTION_HEADER* pSectionHdr = (IMAGE_SECTION_HEADER*)((uint8_t*)pNTHeaders + sizeof(IMAGE_NT_HEADERS)); Then you can iterate pSectionHdr++ via all section headers. Inside IMAGE_SECTION_HEADER parameters the RVA and size in memory and in file ist available.
January 8, 20178 yr You can also use dumpbin <filename> to do this. Dumpbin comes with the C++ toolkit when you install visual studios or visual studio code.
January 21, 20178 yr It depends what you want to do. Getting the address with dumpbin can be help if you basically want the address in memory. With CreateToolhelp32Snapshot / Process32First / Process32Next / Module32First / Module32Next you can access to another process and it's loaded modules. Reading out the data with ReadProcessMemory() and with IMAGE_XXX structures you can access to memory of the process / module directly. But only if you have the same rights or admin rights. Edited January 21, 20178 yr by havanacj13
Create an account or sign in to comment