[Last Call] Learn how to a build a cloud-first strategyRegister Now


Getting a module's base address and bound

Posted on 2007-08-09
Medium Priority
Last Modified: 2012-06-21
How can I obtain a module's base address and bound in memory? I have a DLL that I wrote, which is being loaded by an EXE (that I did *not* write) as a CBT Hook. I want to muddle with the memory of the EXE and alter a few instructions. I know the pattern I'm searching for and what I want to replace it with, but can't figure out how to obtain the base address to start searching from on-the-fly, as well as the ending address for that EXE module.

I want to dynamically find the base address and bound somehow, since the default base address specified in the PE header isn't always available and Windows can shift things around.
Question by:jimstar
  • 3
LVL 86

Accepted Solution

jkr earned 2000 total points
ID: 19663339
>>How can I obtain a module's base address and bound in memory?

The base address is avialble via

LPVOID pvBaseAddr = (LPVOID) GetModuleHandle("mymodule.dll");

What do you mean by "bound"?
LVL 22

Expert Comment

ID: 19663785
I think there are some useful functions for this in the ToolHelp API.

You can also approach it with the debugging API or Read/WriteProcessMemory.


Author Comment

ID: 19666043
Thanks, I didn't realize that the HMODULE returned from GetModuleHandle is actually a pointer to the base address of the module. By 'bound' I mean the size of the module or ending address, so when I'm searching for a particular byte pattern in the module's memory, I don't go past the end of that module.
LVL 86

Expert Comment

ID: 19666128
For the size, you can use

LPVOID pvBaseAddr = (LPVOID) GetModuleHandle("mymodule.dll");

VirtualQuery (pvBaseAddr, &mbi, sizeof ( mbi));

// 'size' is mbi.RegionSize
LVL 86

Expert Comment

ID: 19666163
Oh, BTW, you will need to use the MEMORY_BASIC_INFORMATION along with the size from above to to remove the 'readonly' attribute from the memory pages before altering anything, i.e.

DWORD dwProtect = mbi.Protect & ~PAGE_READONLY;
DWORD dwOld; // dummy


Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Templates For Beginners Or How To Encourage The Compiler To Work For You Introduction This tutorial is targeted at the reader who is, perhaps, familiar with the basics of C++ but would prefer a little slower introduction to the more ad…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question