Printable View
Hello all,
Is it possible to get the base address of a dll file currently loaded into memory this dll is loaded by another application outside my program and each time this application is loaded the start address at which this dll is located in memory changes. I wish to write something that will return at what address the dll was loaded. Is this possible and if so how can it be done?
Thanks,
ISquishWorms
Can you give some more information on what you are trying to do?
I assume you are trying to write over a value of a variable.
You can get the addresses of exported functions and variables, but first you'll have to inject your code into the thread of the target process.
If you know the offset of the address you want from one of these exported objects then you can do it this way.
It all comes down to exactly what you are trying to do.
If you attach your thread to the running process with DebugActiveProcess you will get a LOAD_DLL_DEBUG_EVENT event for each module loaded in that process and in that there is a structure:
The lpBaseOfDll is the droid you are looking forCode:typedef struct _LOAD_DLL_DEBUG_INFO {
HANDLE hFile;
LPVOID lpBaseOfDll;
DWORD dwDebugInfoFileOffset;
DWORD nDebugInfoSize;
LPVOID lpImageName;
WORD fUnicode;
} LOAD_DLL_DEBUG_INFO, *LPLOAD_DLL_DEBUG_INFO;
Hello,
Firstly thanks to you both for trying to help me out with this one.
What I am looking to do is to modify a PUSH 20 assembler command within the DLL file so that it pushes a different value. I am able to work out the offset to the command PUSH 20 so thought that if I could somehow retrieve the base address at which the DLL had loaded I would just be able to simply add to that the offset and modify in memory the PUSH 20 command to become say PUSH 2.
However my problem is that I am unsure how to go about getting the address at which this DLL has been loaded at. The DLL is loaded by another application outside my Visual Basic application.
Merrion would your suggested method of using DebugActiveProcess to populate LOAD_DLL_DEBUG_INFO structure with the information I require by trapping that event work should the DLL already have been loaded by the application? Following your advice and suggestion I have investigated using this method to get the base address of the DLL a little further and realised that I would need to use the API WaitForDebugEvent but am unsure of the structure DEBUG_EVENT_BUFFER are your able to give me the type declaration for this structure thanks.
Thank you once again to anyone who is able and spends time helping me regarding this matter,
ISquishWorms.
It's all burried in the attached code (a debugger written in VB). You will probably be able to chop 99% of this out for your requirement...
Nice :thumb:
Thats some code you have there Merrion. I have managed to get my program to respond to the LOAD_DLL_DEBUG_EVENT event and the LOAD_DLL_DEBUG_INFO structure is being populated.
However I have run into another problem how can I tell if I have the base address for the DLL that I am interested in as this application uses a number of different DLL's. I read that it was possible to carry out a ReadProcessMemory on lpImageName to get the name of the DLL but I dont seem to get anything back.
Thanks for any further help anyone is able to offer,
ISquishWorms.
You could alternatively use:-
VB Code:
That is how cPortableExecutableImage.Name works in the code attached above.
Hello all,
I am still having some trouble obtaining the name of the DLL I am now trying the GetModuleFileName API as suggested but seem to be just getting back 1024 NULL characters. :confused: At first I thought maybe it was something about the application that I was trying to get the DLL’s for so I tried this on another alternative application as well but get the same result that is 1024 NULL characters returned for the DLL name. Below is the code that I am using I would be grateful if someone else could glance at it and tell me where I have gone wrong.
Thanks once again for all the assistance and time you have spent getting me this far,
ISquishWorms.
VB Code:
DebugLoadDllInfo.hfile is a file handle. You need to pass in a module handle (hMod) to GetModuleFilename...
Merrion,
I have a related problem. I am trying to get a thread's starting address.
I know you can get this if a CREATE_PROCESS_DEBUG_EVENT is generated from
Create_Process_Debug_Info.lpStartAddress, but only when you use CreateProcess.
If I want to use DebugActiveProcess this doesn't work
Do you know another way to get this address?