Python - How to get the start/base address of a process?

Question

How do I get the start/base address of a process? Per example Solitaire.exe (solitaire.exe+BAFA8)

#-*- coding: utf-8 -*-
import ctypes, win32ui, win32process


PROCESS_ALL_ACCESS = 0x1F0FFF
HWND = win32ui.FindWindow(None,u"Solitär").GetSafeHwnd()
PID = win32process.GetWindowThreadProcessId(HWND)[1]
PROCESS = ctypes.windll.kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID)

print PID, HWND,PROCESS

I would like to calculate a memory address and for this way I need the base address of solitaire.exe.

Here's a picture of what I mean:

Answer 1

I think the handle returned by GetModuleHandle is actually the base address of the given module. You get the handle of the exe by passing NULL.

Answer 2

Install pydbg

Source: https://github.com/OpenRCE/pydbg

Unofficial binaries here: http://www.lfd.uci.edu/~gohlke/pythonlibs/#pydbg

from pydbg import *
from pydbg.defines import *

import struct

dbg = pydbg()

path_exe = "C:\\windows\\system32\\calc.exe"

dbg.load(path_exe, "-u amir")
dbg.debug_event_loop()

parameter_addr = dbg.context.Esp #(+ 0x8)

print 'ESP (address) ',parameter_addr


#attach not working under Win7 for me

#pid = raw_input("Enter PID:")
#print 'PID entered %i'%int(pid)
#dbg.attach(int(pid)) #attaching to running process not working

You might want to have a look at PaiMei, although it's not very active right now https://github.com/OpenRCE/paimei

I couldn't get attach() to work and used load instead. Pydbg has loads of functionality, such as read_proccess_memory, write_process_memory etc.

Note that you can't randomly change memory, because an operating system protects memory of other processes from your process (protected mode). Before the x86 processors there were some which allowed all processors to run in real mode, i.e. the full access of memory for every programm. Non-malicious software usually (always?) doesn't read/write other processes' memory.