I created a injector program for one of my porjects and right now I have 00400000h which not all exes have the same base as that.. i know i could open the exe and read it but i was hoping to load it in suspended mode and then get its module handle which is also base address..

i tryed toolhelp and psapi both dont seem to work on suspended processes

either that or i dont know how to make them work on them..

i know i coudl go GetModuleHandle but that would not support multiple instances of the same program..
Posted on 2005-01-10 07:26:40 by devilsclaw
hmmm well i figured out what i wanted but its not exactly the way i wanted to do it..


yes i know this is C/C++ but is about the same syntax if you use MASM which im also used to



DEBUG_EVENT pDebugEvent;
DebugActiveProcess(ProcessInfo.dwProcessId);
WaitForDebugEvent(&pDebugEvent,INFINITE);

BaseMemory = (DWORD)pDebugEvent.u.CreateProcessInfo.lpBaseOfImage;

DebugSetProcessKillOnExit(FALSE);
DebugActiveProcessStop(pDebugEvent.dwProcessId);


was wondering if there is any other way to get base with the process in suspended state and with out opening the exe its self..
Posted on 2005-01-12 20:28:32 by devilsclaw
couldnt you use NtQueryInformationProcess?


packetvb
Posted on 2005-01-12 21:27:31 by packetvb
it looks like i could but its not win9x compatible and i like to keep backwards compatibility up..
Posted on 2005-01-13 00:17:28 by devilsclaw
it looks like i could but its not win9x compatible and i like to keep backwards compatibility up..


win9x whats that?

hehe
Posted on 2005-01-13 00:26:31 by packetvb