Is there a way in C++/windows to get the exe/DLL image base address? thanks :)
To get the base address of a module(DLL or EXE) in memory you can enumerate the loaded modules using ToolHelp32Snapshot Windows API function. Microsoft provides documented source code to find the module. Basically you need 2 functions, one to grab the ProcessId and then one to get the base address.
It has to do with the amount of address space mapped by a single page directory entry on an x86 and a design decision made in 1987. The only technical requirement for the base address of an EXE is that it be a multiple of 64KB.
To compute the base address, you determine the memory address associated with the lowest p_vaddr value for a PT_LOAD segment. You then obtain the base address by truncating the memory address to the nearest multiple of the maximum page size.
The image base is the address at which Windows loads a module. The default image base is $00400000, which is the Windows default. You don't need to change this for programs, but you should change it for libraries and packages. Windows must load every module at a unique address.
If you load the binary into your own process you can use GetModuleHandle. It returns a HMODULE, but that is the same as HINSTANCE and the base address.
If you want to know what base address the binary prefers you should read the PE header. See here and look for the ImageBase field in IMAGE_OPTIONAL_HEADER.
Edit: GetModuleHandle(NULL) will return the base address (altough the specified type is HMODULE) for the current process.
If you are examining an DLL or EXE file on disk, use the dumpbin utility. It in installed with Visual Studio or the SDK.
Example Output of dumpbin /headers:
FILE HEADER VALUES
14C machine (i386)
6 number of sections
306F7A22 time date stamp Sun Oct 01 22:35:30 1995
0 file pointer to symbol table
1D1 number of symbols
E0 size of optional header
302 characteristics
Executable
32 bit word machine
Debug information stripped
OPTIONAL HEADER VALUES
10B magic #
2.60 linker version
1E00 size of code
1E00 size of initialized data
0 size of uninitialized data
1144 address of entry point
1000 base of code
3000 base of data
----- new -----
**2BB0000 image base** <--- This is what you are looking for
1000 section alignment
200 file alignment
3 subsystem (Windows CUI)
4.00 operating system version
4.00 image version
3.50 subsystem version
8000 size of image
400 size of headers
62C8 checksum
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 [ 0] address [size] of Export Directory
5000 [ 3C] address [size] of Import Directory
6000 [ 394] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
7000 [ 21C] address [size] of Base Relocation Directory
3030 [ 38] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
0 [ 0] address [size] of Load Configuration Directory
268 [ 44] address [size] of Bound Import Directory
50A0 [ 64] address [size] of Import Address Table Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
.text name
1D24 virtual size
1000 virtual address
1E00 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
3C20 file pointer to line numbers
0 number of relocations
37E number of line numbers
60000020 flags
Code
(no align specified)
Execute Read
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With