Getting a module's base address and bound

Posted on 2007-08-09
Last Modified: 2012-06-21
How can I obtain a module's base address and bound in memory? I have a DLL that I wrote, which is being loaded by an EXE (that I did *not* write) as a CBT Hook. I want to muddle with the memory of the EXE and alter a few instructions. I know the pattern I'm searching for and what I want to replace it with, but can't figure out how to obtain the base address to start searching from on-the-fly, as well as the ending address for that EXE module.

I want to dynamically find the base address and bound somehow, since the default base address specified in the PE header isn't always available and Windows can shift things around.
Question by:jimstar
    LVL 86

    Accepted Solution

    >>How can I obtain a module's base address and bound in memory?

    The base address is avialble via

    LPVOID pvBaseAddr = (LPVOID) GetModuleHandle("mymodule.dll");

    What do you mean by "bound"?
    LVL 22

    Expert Comment

    I think there are some useful functions for this in the ToolHelp API.

    You can also approach it with the debugging API or Read/WriteProcessMemory.

    LVL 4

    Author Comment

    Thanks, I didn't realize that the HMODULE returned from GetModuleHandle is actually a pointer to the base address of the module. By 'bound' I mean the size of the module or ending address, so when I'm searching for a particular byte pattern in the module's memory, I don't go past the end of that module.
    LVL 86

    Expert Comment

    For the size, you can use

    LPVOID pvBaseAddr = (LPVOID) GetModuleHandle("mymodule.dll");

    VirtualQuery (pvBaseAddr, &mbi, sizeof ( mbi));

    // 'size' is mbi.RegionSize
    LVL 86

    Expert Comment

    Oh, BTW, you will need to use the MEMORY_BASIC_INFORMATION along with the size from above to to remove the 'readonly' attribute from the memory pages before altering anything, i.e.

    DWORD dwProtect = mbi.Protect & ~PAGE_READONLY;
    DWORD dwOld; // dummy


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Often, when implementing a feature, you won't know how certain events should be handled at the point where they occur and you'd rather defer to the user of your function or class. For example, a XML parser will extract a tag from the source code, wh…
    Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
    The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
    The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now