获取进程的基地址

本文介绍了获取进程的基地址的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我想要访问某个进程的某个地址。但是，我需要先获得进程的基地址。我使用一个工具，看看我是否真的做到正确。该工具显示我需要以下：app.exe+ 0x011F9B08 = 0x119F8300

I want to access a certain address of a process. But for that i need to get the base address of the process first. I'm using a tool to see if i'm actually doing it right. The tool shows i need the following: "app.exe"+0x011F9B08 = 0x119F8300

一个进程的基地址通过 OpenProcess（），但是给我： 0x0000005c 结果。我不认为是对的吗？至少，不是我需要的。

I thought i could obtain the base address of a process through OpenProcess(), but that gives me: 0x0000005c as a result. I don't think that is right? Atleast, not what i need.

我认为我需要的基地址是： 0x119F8300 - 0x011F9B08 = 0x107FE7F8

I think the base address i need is: 0x119F8300 - 0x011F9B08 = 0x107FE7F8 <-- base?

这是我的代码：

hWindow = FindWindow(NULL, lpWindowName); if(hWindow) { GetWindowThreadProcessId(hWindow, &dwProcId); if(dwProcId != 0) { // hProcHandle -> 0x0000005c hProcHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId); } else { return 0; } }

如何获取进程的基地址

推荐答案

如果要在其他进程的地址空间中获取虚拟地址 >，您可以这样做：

If you want to get the virtual address within the other process's address space, you can do that like so:

使用 OpenProcess - 如果成功，返回的值是进程的句柄，它只是内核用来标识内核对象的不透明令牌。其确切的整数值（在您的情况下为0x5c）对用户空间程序没有意义，除了将其与其他句柄和无效句柄区分开来。

调用 GetProcessImageFileName 获取进程的主要可执行模块的名称。

使用 EnumProcessModules 枚举目标进程中所有模块的列表。

对于每个模块，调用 GetModuleFileNameEx 以获取文件名，并将其与可执行文件名进行比较。

当您找到可执行文件的模块时，调用 GetModuleInformation 以获取可执行文件的原始入口点。

Open the process using OpenProcess -- if successful, the value returned is a handle to the process, which is just an opaque token used by the kernel to identify a kernel object. Its exact integer value (0x5c in your case) has no meaning to userspace programs, other than to distinguish it from other handles and invalid handles.

Call GetProcessImageFileName to get the name of the main executable module of the process.

Use EnumProcessModules to enumerate the list of all modules in the target process.

For each module, call GetModuleFileNameEx to get the filename, and compare it with the executable's filename.

When you've found the executable's module, call GetModuleInformation to get the raw entry point of the executable.

这将给你虚拟地址，但是你可以做的很多，因为它没有映射到当前进程的地址空间。

This will give you the virtual address, but there's not a whole lot you can do with it since it's not mapped into your current process's address space.