How to get the "Base Address" of the main module of another process

Asked

Viewed 167 times

1

Hello, I made a software that Analyzes the dump of a certain Engine process to extract the XOR key from the game automatically because it has a dynamic 16 bytes XOR changing from compilation to compilation of the game... And to translate games from this engine I need to decrypt your files.

Currently I analyze a dump done by Processdump and the same to dumpar a process leaves in the file name the "Base Address" of the dumpado module.

I wanted to know how I prune in C# a way compatible with x86 and x64 to take the "Base Address" of a process without having to dump it... after all the class Process can not say to me the Base Address, always crashes when I try.

I learned yesterday of a Library called Memorysharp, will it be that it should be useful to my case?

PS: I accept P/Invoke

  • Have you tried using the GetModuleHandle?

  • I wanted to be able to distinguish processes of the same name, if possible specify its PID.

1 answer

1


Try this:

Process[] processes = Process.GetProcessesByName("meuPrograma"); 
Process mProc = processes[0]; 
IntPtr hProc = mProc.Handle; 

int base_adr = processes[0].MainModule.EntryPointAddress.ToInt32(); 
int height_offset = 0x0007E1BC; 
height_adr = (IntPtr)(base_adr + height_offset); 

ckFreezeFlag.Text = "Base: " + base_adr.ToString("X"); 
ckFreezeMines.Text = "Height: " + height_adr.ToString("X");

Keep in mind that the call mProc = processes[0]; may not have a completed result, so it may cause an error, you should test if it is empty.

The offset is on your own ;)

  • I have tried using this Process resource, it turns out that the process does not return any module...

  • Process[] processes = Process.Getprocessesbyname("myProgram"); Is returning some process in the Array?

  • Yes, this is the error: http://image.prntscr.com/image/8dbcbad72cd9409fa0b2950097c8a7d1.jpeg

  • The image cut the text of Exception and can not read the whole error, it may be something of permission to run this code.

  • http://pastebin.com/CuC9TYf1` I have tried to compile my program into 32bit, 64 and Any CPU... My machine is 64, OS too... but the process I want to analyze is usually 32bit. And I’ve already run my program as an administrator.

  • I forgot to comment, but the code works, it turns out that at the time I was only using a build of the executable with certain DRM that protected the list of modules, when I found out just turn off the feature and it worked.

Show 1 more comment

Browser other questions tagged

You are not signed in. Login or sign up in order to post.