Application.exe + 000000 Read Memorry

Question

So as you can see I'm having some trouble with getting the .exe Base Address.

In this case, let's say that was Tutorial-x86_64.exe

How do I get the process address?

Hope anyone can help.

_"So as you can see...."_ - well no we can't actually. [ask] — , Jul 06 '18 at 00:17
https://github.com/lolp1/Process.NET he means Tutorial-x86_64.exe from cheatengine.org — SSpoke, Jul 06 '18 at 00:18
Internally:`DWORD base = (DWORD)::GetModuleHandleA("Tutorial-x86_64.exe");` Externally use TlHlp32 — Segy, Dec 02 '18 at 16:49

score 1 · Answer 1 · answered Jul 06 '18 at 00:19

System.Diagnostics.Process[] processes = System.Diagnostics.Process.GetProcessesByName("Tutorial-x86_64"); 

int base = processes[0].MainModule.BaseAddress.ToInt32();

you can also get EntryPoint

int base_adr = processes[0].MainModule.EntryPointAddress.ToInt32();
int height_offset = 0x0007E1BC; //some address example

int height_adr = (IntPtr)(base_adr + height_offset);

Here is another function.

   private static IntPtr GetModuleBaseAddress(string AppName, string ModuleName) 
    { 
        IntPtr BaseAddress = IntPtr.Zero; 
        Process[] myProcess = null; 
        ProcessModule myProcessModule = null; 

        myProcess = Process.GetProcessesByName(AppName); 

        if (myProcess.Length > 0) 
        { 
            ProcessModuleCollection myProcessModuleCollection; 

            try 
            { 
                myProcessModuleCollection = myProcess[0].Modules; 
            } 
            catch { return IntPtr.Zero; /*Maybe would be ok show the exception after/instead return*/ } 

            for (int i = 0; i < myProcessModuleCollection.Count; i++) 
            { 
                myProcessModule = myProcessModuleCollection[i]; 
                if (myProcessModule.ModuleName.Contains(ModuleName)) 
                { 
                    BaseAddress = myProcessModule.BaseAddress; 
                    break; 
                } 
            } 
        } 

        return BaseAddress; 
    }

`ToInt32()` on a 64-bit process seems a bit suspect. – Ben Voigt Jul 06 '18 at 02:28 — Ben Voigt, Jul 06 '18 at 02:28
My Bad, Ya use `ToInt64()` for x86_64 application – SSpoke Jul 06 '18 at 05:27 — SSpoke, Jul 06 '18 at 05:27

score 0 · Answer 2 · answered May 25 '19 at 20:58

using System.Diagnostics;
using System.Linq;

public IntPtr GetModuleBaseAddress(string processName, string moduleName)
{
    // Get an instance of the specified process
    Process process;

    try
    {
        process = Process.GetProcessesByName(processName)[0];
    }

    catch (IndexOutOfRangeException)
    {
        // The process isn't currently running
        throw new ArgumentException($"No process with name {processName} is currently running");
    }

    // Get an instance of the specified module in the process
    // We use linq here to avoid unnecesary for loops
    var module = process.Modules.Cast<ProcessModule>().SingleOrDefault(m => string.Equals(m.ModuleName, moduleName, StringComparison.OrdinalIgnoreCase));

    //Return IntPtr.Zero if the module doesn't exist in the process
    return module?.BaseAddress ?? IntPtr.Zero;
}



var modBaseAddress = GetModuleBaseAddress("Tutorial-x86_64.exe", "Tutorial-x86_64.exe");

Application.exe + 000000 Read Memorry

2 Answers2