Jump to content
Tuts 4 You

address of section from memory


Recommended Posts

Parse the PE header just like you would normally if you read the file from disk. Just use the memory location of the start of the target instead. (GetModuleHandle can get you the base, or use the needed iteration API's if the target is remote etc. for example CreateToolhelp32Snapshot / Process32First / Process32Next / Module32First / Module32Next)

  • Like 1
Link to comment

excuse me

it is possible to explain about it?

i have the app in disk

it is possible to calculation address?

if yes, how?

Edited by Avenger
Link to comment

Load app / dll to memory e.g. with CreateFileMapping()+MapViewOfFile() or directly loading in a memory malloced range.

You get the first section in header in the following way:


IMAGE_NT_HEADERS* pNTHeaders = (IMAGE_NT_HEADERS*)((BYTE*)pDOSHeader + pDOSHeader->e_lfanew);

Then you can iterate pSectionHdr++ via all section headers.
Inside IMAGE_SECTION_HEADER parameters the RVA and size in memory and in file ist available.


Link to comment
  • 2 weeks later...

It depends what you want to do. Getting the address with dumpbin can be help if you basically want the address in memory.

With CreateToolhelp32Snapshot / Process32First / Process32Next / Module32First / Module32Next you can access to another process and it's loaded modules. Reading out the data with ReadProcessMemory() and with IMAGE_XXX structures you can access to memory of the process / module directly. But only if you have the same rights or admin rights.


Edited by havanacj13
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...