Get base address of process

Question

I want to access a certain address of a process. But for that i need to get the base address of the process first. I\'m using a tool to see if i\'m actually doing it right.

Answer 1

I wanted to elaborate a bit on @Adam Rosenfield's answer. I will use League of Legends as an example here.

---

In order to open the process (Getting a handle) we need it's PID (Process ID). We can do that via a window handle (HWND) because usually the title of the window is known

//You will need to change this the name of the window of the foreign process
HWND WindowHandle = FindWindow(nullptr, L"League of Legends (TM) Client");
DWORD PID;
GetWindowThreadProcessId(WindowHandle, &PID);
PVOID hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, 0, PID);

Now that we are able to get a handle to the process let's continue

HMODULE Module = GetModule();
DWORD BaseAddress = (DWORD)Module;

The GetModule function

HMODULE GetModule()
{
    HMODULE hMods[1024];
    HANDLE pHandle = GetHandle();
    DWORD cbNeeded;
    unsigned int i;

    if (EnumProcessModules(pHandle, hMods, sizeof(hMods), &cbNeeded))
        {
        for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
        {
            TCHAR szModName[MAX_PATH];
            if (GetModuleFileNameEx(pHandle, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
            {
                wstring wstrModName = szModName;
                //you will need to change this to the name of the exe of the foreign process
                wstring wstrModContain = L"League of Legends.exe"; 
                if (wstrModName.find(wstrModContain) != string::npos)
                {
                    CloseHandle(pHandle);
                    return hMods[i];
                }
            }
        }
    }
    return nullptr;
}

as for me personally I like to write 2 separate functions one for getting a handle and one for getting the module.

There we go, we have successfully gotten the base address of a foreign process.

Answer 2

If you want to get the virtual address within the other process's address space, you can do that like so:

1. Open the process using OpenProcess -- if successful, the value returned is a handle to the process, which is just an opaque token used by the kernel to identify a kernel object. Its exact integer value (0x5c in your case) has no meaning to userspace programs, other than to distinguish it from other handles and invalid handles.
2. Call GetProcessImageFileName to get the name of the main executable module of the process.
3. Use EnumProcessModules to enumerate the list of all modules in the target process.
4. For each module, call GetModuleFileNameEx to get the filename, and compare it with the executable's filename.
5. When you've found the executable's module, call GetModuleInformation to get the raw entry point of the executable.

This will give you the virtual address, but there's not a whole lot you can do with it since it's not mapped into your current process's address space.