Get procedure/function address of another processe

Question

I'm writing a program that show the thread list of all opened process.

With a similiar program (Process Explorer), I can see the thread list, with some informations, like Thread ID, Priority, Start address, etc.

I'm able to retrieve all these informations too, but Process Explorer display Start address like this:

ModuleName!ProcedureName+$1111

How can I get ProcedureName without injecting a dll to use GetProcAddress?

You can inject some code to do it. – Seth Carnegie May 09 '12 at 01:31 — Seth Carnegie, May 09 '12 at 01:31
Yes, but, is possible get it without injecting? – paulohr May 09 '12 at 01:35 — paulohr, May 09 '12 at 01:35
You could parse the PE header and all that. – Seth Carnegie May 09 '12 at 01:37 — Seth Carnegie, May 09 '12 at 01:37

score 7 · Accepted Answer · answered May 09 '12 at 01:57

7

You can use the StackWalk64 WinAPi function which is part of the DbgHelp, if you want a delphi sample of how use this function try the asmprofiler project.

answered May 09 '12 at 01:57

RRUZ

134,889
20
356
483

Yep, and look at the map2dbg utility (google for it) to translate the delphi generated map file (if you enable that in the project options) into a dbg file that is needed by Process Explorer or the Windows API. Of course, with a little Jedi help, you could also parse the map file yourself, but personally I wouldn't go to that trouble. – Marjan Venema May 09 '12 at 06:04
Thanks RRUZ and Marjan Venema! – paulohr May 10 '12 at 11:53

Get procedure/function address of another processe

1 Answers1