How do I get the baseaddress of a 64 bit process?

Printable View

Oct 19th, 2021, 03:34 PM
Maatooh

1 Attachment(s)

How do I get the baseaddress of a 64 bit process?

I need to obtain the base address of a 64-bit .exe process, in the same way that CE does, I find myself in the need to do this since the address changes over time, I have had experience obtaining addresses for dll from a process 32 bits but I have not had success with the .exe process and less with 64 bits since I must store it in a variable that supports the "7FFFFFFFFFFF" type of extension.

Attachment 182679

Thanks very much!
Oct 20th, 2021, 12:53 AM
dz32

Re: How do I get the baseaddress of a 64 bit process?

I just use a small 64bit helper app which outputs the results to the command line in csv string format.
Then parse the results from stdin. you launch x64helper in a hidden window so no console window popup.
Quick and dirty but reliable.

https://github.com/dzzie/SysAnalyzer.../Cx64.cls#L588
https://github.com/dzzie/SysAnalyzer.../main.cpp#L156

Once you have the 64bit number as string you can then use a x64 math library to work on it if you must.
for just display the string is fine.

https://github.com/dzzie/libs/tree/master/vb6_utypes

example output:

Code:

Usage x64Helper: /inject decimal_pid dll_path /dlls decimal_pid /dumpmodule decimal_pid hex_string_base hex_string_size out_file_path /dumpprocess decimal_pid out_file_path /startwdll exe_path dll_path /memmap decimal_pid [out_file_path|-c] (pid -32|-64|-1) /loadlib file_path [exportToCall [cdecl] ] /procs [32|64|strMatch] x64helper /procs 64 Showing 64 bit processes only.. 9912 Zoom.exe ... x64helper /dlls 9912 0x260000,0x42000,C:\Users\home\AppData\Roaming\Zoom\bin\Zoom.exe 0x77040000,0x1A3000,C:\WINDOWS\SYSTEM32\ntdll.dll 0x75CB0000,0xF0000,C:\WINDOWS\System32\KERNEL32.DLL ...

also..

Attachment 182682
Oct 20th, 2021, 01:15 AM
The trick

Re: How do I get the baseaddress of a 64 bit process?

NtWow64QueryInformationProcess64
Oct 20th, 2021, 02:41 PM
Maatooh

Re: How do I get the baseaddress of a 64 bit process?

Solved without problems, they are heroes. Thanks!! :bigyello::bigyello:
Mar 22nd, 2025, 02:35 AM
camomille

Re: How do I get the baseaddress of a 64 bit process?

Quote:

Originally Posted by dz32

I just use a small 64bit helper app which outputs the results to the command line in csv string format.
Then parse the results from stdin. you launch x64helper in a hidden window so no console window popup.
Quick and dirty but reliable.

https://github.com/dzzie/SysAnalyzer.../Cx64.cls#L588
https://github.com/dzzie/SysAnalyzer.../main.cpp#L156

Once you have the 64bit number as string you can then use a x64 math library to work on it if you must.
for just display the string is fine.

https://github.com/dzzie/libs/tree/master/vb6_utypes

example output:

Code:

Usage x64Helper: /inject decimal_pid dll_path /dlls decimal_pid /dumpmodule decimal_pid hex_string_base hex_string_size out_file_path /dumpprocess decimal_pid out_file_path /startwdll exe_path dll_path /memmap decimal_pid [out_file_path|-c] (pid -32|-64|-1) /loadlib file_path [exportToCall [cdecl] ] /procs [32|64|strMatch] x64helper /procs 64 Showing 64 bit processes only.. 9912 Zoom.exe ... x64helper /dlls 9912 0x260000,0x42000,C:\Users\home\AppData\Roaming\Zoom\bin\Zoom.exe 0x77040000,0x1A3000,C:\WINDOWS\SYSTEM32\ntdll.dll 0x75CB0000,0xF0000,C:\WINDOWS\System32\KERNEL32.DLL ...

also..

Attachment 182682

I'm trying to get your library, but the link is dead. Could you provide a working link?

https://github.com/dzzie/libs/tree/master/vb6_utypes

Thanks in advance.
Mar 22nd, 2025, 08:36 AM
fafalone

Re: How do I get the baseaddress of a 64 bit process?

https://sandsprite.com/CodeStuff/vb6_utypes.zip

Also this thread is old so I'll add a reminder you no longer need to know another language like C++ to write 64bit helper apps, twinBASIC exists now ;)

(It doesn't have unsigned types yet; they're planned for sometime after v1.0, but the LongLong and Decimal types do make some workarounds for that easier then Currency and Double)
Apr 1st, 2025, 12:50 AM
camomille

Re: How do I get the baseaddress of a 64 bit process?

Quote:

Originally Posted by fafalone

https://sandsprite.com/CodeStuff/vb6_utypes.zip

Also this thread is old so I'll add a reminder you no longer need to know another language like C++ to write 64bit helper apps, twinBASIC exists now ;)

(It doesn't have unsigned types yet; they're planned for sometime after v1.0, but the LongLong and Decimal types do make some workarounds for that easier then Currency and Double)

Thanks, this is for a 64-bit X86 simulator that will be converted to Tb