How to get the memory information of a binary only with the Win32 API?

  Kiến thức lập trình

I want to create a program that gets the memory information from a process. I got to the point where I successfully call VirtualQueryEx to query the MEMORY_BASIC_INFORMATION.

My next step is to get the AllocationBase address of the (in lack of other words) “main module”. The one with the same name as the process, which would be noita.exe in my case. Confirming with Cheat Engine, this would be the range starting with 0x400000.

What API calls would I have to do in order to get that memory address?

1

You can use CreateToolhelp32Snapshot() with dwFlags set to TH32CS_SNAPMODULE or TH32CS_SNAPMODULE32 and th32ProcessID set to the ID of the process you are interested in. And then use Module32First()/Module32Next() on the snapshot to find the “main” module you are interested in. The returned MODULEENTRY32 will give you the modBaseAddr of the module.

See Traversing the module list on MSDN for an example.

6

if you need only exe base address, but not addresses of dll, you can read it from PEB.ImageBaseAddress of target process

if (HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION|PROCESS_VM_READ, FALSE, dwProcessId))
{
    PROCESS_BASIC_INFORMATION pbi;
    if (0 <= NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), 0))
    {
        PVOID ImageBaseAddress;
        if (ReadProcessMemory(hProcess, 
            &reinterpret_cast<PEB*>(pbi.PebBaseAddress)->ImageBaseAddress,
            &ImageBaseAddress, sizeof(ImageBaseAddress), 0))
        {
            DbgPrint("ImageBaseAddress = %pn", ImageBaseAddress);
        }
    }
    CloseHandle(hProcess);
}

LEAVE A COMMENT