Finding the baseaddress of a running process

Question

Ive got the following code:

import subprocess
from ctypes import *

#-Part where I get the PID and declare all variables-#

OpenProcess = windll.kernel32.Ope         


        

Answer 1

See How to enumerate modules in python 64bit for some good code to use. You are looking for 'modBaseAddr'.

For more info on tagMODULEENTRY32, see http://msdn.microsoft.com/en-us/library/windows/desktop/ms684225(v=vs.85).aspx

You could also use pymem ('obsolete' project but still works) with the following code (you want modBaseAddr):

  for m in self.listModules():
    if m.szModule==szModule:
      print m.szModule, m.szExePath, m.modBaseAddr

Answer 2

I did manage to find a solution for python 3.5 32-bit and 64 bit.

For 32 bit I used psutil and pymem (as already suggested on this question).:

import psutil
import pymem

my_pid = None
pids = psutil.pids()
for pid in pids:
    ps = psutil.Process(pid)
    # find process by .exe name, but note that there might be more instances of solitaire.exe
    if "solitaire.exe" in ps.name():
        my_pid = ps.pid
        print( "%s running with pid: %d" % (ps.name(), ps.pid) )

base_address = pymem.process.base_address(pid)

For 64 bit pymem was not working. I found suggestions using win32api.GetModuleHandle(fileName) but it required win32api.LoadLibrary(fileName) which was not using an already running process.

Therefore I found this suboptimal solution, since this returns a whole list of possibilities:

import win32process
import win32api

# first get pid, see the 32-bit solution

PROCESS_ALL_ACCESS = 0x1F0FFF
processHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, my_pid)
modules = win32process.EnumProcessModules(processHandle)
processHandle.close()
base_addr = modules[0] # for me it worked to select the first item in list...