module base

[PeterN]

According to the official documentation the following command should return Loaded module base.

Quote

[module]:base or [module]:0

But in some cases/modules it does not work.

 

 

Edited December 5, 2022 by PeterN

[atom0s]

Don't include '.dll' part, just the name of the module itself.

sqlite3:base

[PeterN]

9 hours ago, atom0s said:

Don't include '.dll' part, just the name of the module itself.

sqlite3:base

Nah, does not work either way.

[atom0s]

If you are only pasting that into the command bar then all it's going to do is set the status bar at the bottom of the window (where it shows the most recent log message) to the value. 

You need to prefix it with a command if you want to do something with it, such as going to it in the disassembler view via: d sqlite3:base

You can find the full list of commands here: https://help.x64dbg.com/en/latest/commands/index.html

Edited December 7, 2022 by atom0s

[PeterN]

8 hours ago, atom0s said:

If you are only pasting that into the command bar then all it's going to do is set the status bar at the bottom of the window (where it shows the most recent log message) to the value. 

You need to prefix it with a command if you want to do something with it, such as going to it in the disassembler view via: d sqlite3:base

You can find the full list of commands here: https://help.x64dbg.com/en/latest/commands/index.html

For some loaded modules, including the main executable, it simply return Unknown Command error, if I tried d prefix it's going to disassembler view but of a different module.

I wonder if loaded process cannot somehow mess with a debugger.

[LCF-AT]

Hi,

so for me it works anyway whether I use sqlite3:0 or sqlite3:base or sqlite3.dll:base it works. Just did load the sqlite3.dll extern into any loaded app. What about all those other modules you have loaded in your process? Are they all working to get the base via commandline? Maybe there is any issue to get the base via commandline like with Olly 1 & script command when the module X wasn't right loaded and set to access read (red marked in memory map). I'am still using version Apr 10 2020 x64. Just try a other version whether you get same issues or try loading the test modules like sqlite3 manually into any loaded app and check this again. I think there is just an access issue.

greetz

[mrexodia]

Which executable are you debugging? This feature is working fine for the applications I tested it on...

[PeterN]

It seems to only be issue with UWP apps.

There is for example a pre-installed app in Windows 10 called Your Phone.

Try to use yourphone:0

Edited December 11, 2022 by PeterN

[PeterN]

On 12/11/2022 at 5:20 PM, mrexodia said:

Which executable are you debugging? This feature is working fine for the applications I tested it on...

 

I dug into x64dbg source code and in the value.cpp, this line returns module base correctly 

duint modbase = ModBaseFromName(modname);

but this fails

 HMODULE mod = LoadLibraryExW(StringUtils::Utf8ToUtf16(szModPath).c_str(), 0, DONT_RESOLVE_DLL_REFERENCES);

Edit1: I guess LoadLibrary does not have access rights to the WindowsApps folder.

Edited December 18, 2022 by PeterN