Python - How to get the start/base address of a process?

Question

How do I get the start/base address of a process? Per example Solitaire.exe (solitaire.exe+BAFA8)

#-*- coding: utf-8 -*-
import ctypes, win32ui, win32process         


        

Answer 1

I think the handle returned by GetModuleHandle is actually the base address of the given module. You get the handle of the exe by passing NULL.

Answer 2

Install pydbg

Source: https://github.com/OpenRCE/pydbg

Unofficial binaries here: http://www.lfd.uci.edu/~gohlke/pythonlibs/#pydbg

from pydbg import *
from pydbg.defines import *

import struct

dbg = pydbg()

path_exe = "C:\\windows\\system32\\calc.exe"

dbg.load(path_exe, "-u amir")
dbg.debug_event_loop()

parameter_addr = dbg.context.Esp #(+ 0x8)

print 'ESP (address) ',parameter_addr


#attach not working under Win7 for me

#pid = raw_input("Enter PID:")
#print 'PID entered %i'%int(pid)
#dbg.attach(int(pid)) #attaching to running process not working

You might want to have a look at PaiMei, although it's not very active right now https://github.com/OpenRCE/paimei

I couldn't get attach() to work and used load instead. Pydbg has loads of functionality, such as read_proccess_memory, write_process_memory etc.

Note that you can't randomly change memory, because an operating system protects memory of other processes from your process (protected mode). Before the x86 processors there were some which allowed all processors to run in real mode, i.e. the full access of memory for every programm. Non-malicious software usually (always?) doesn't read/write other processes' memory.

Answer 3

The HMDOULE value of GetModuleHandle is the base address of the loaded module and is probably the address you need to compute the offset.

If not, that address is the start of the header of the module (DLL/EXE), which can be displayed with the dumpbin utility that comes with Visual Studio or you can interpret it yourself using the Microsoft PE and COFF Specification to determine the AddressOfEntryPoint and BaseOfCode as offsets from the base address. If the base address of the module isn't what you need, one of these two is another option.

Example:

>>> BaseAddress = win32api.GetModuleHandle(None) + 0xBAFA8
>>> print '{:08X}'.format(BaseAddress)
1D0BAFA8

If The AddressOfEntryPoint or BaseOfCode is needed, you'll have to use ctypes to call ReadProcessMemory following the PE specification to locate the offsets, or just use dumpbin /headers solitaire.exe to learn the offsets.