下面代码是通过进程ID来获取进程的基地址,创建一个进程快照后,读取进程模块,一般情况下第一个模块就是进程的基地址,下面的程序通过模块的字符串匹配来找到基地址。通过MODULEENTRY32来读取,下面是代码:
#include <Windows.h> #include <Tlhelp32.h> #include <stdio.h> HMODULE fnGetProcessBase(DWORD PID); DWORD GetLastErrorBox(HWND hWnd, LPSTR lpTitle) ; int main() { HMODULE hModule = fnGetProcessBase(6520); printf("%X",hModule); return 0; } HMODULE fnGetProcessBase(DWORD PID) { //获取进程基址 HANDLE hSnapShot; //通过CreateToolhelp32Snapshot和线程ID,获取进程快照 hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID); if (hSnapShot == INVALID_HANDLE_VALUE) { GetLastErrorBox(NULL,"无法创建快照"); return NULL; } MODULEENTRY32 ModuleEntry32; ModuleEntry32.dwSize = sizeof(ModuleEntry32); if (Module32First(hSnapShot, &ModuleEntry32)) { do { TCHAR szExt[5]; strcpy(szExt, ModuleEntry32.szExePath + strlen(ModuleEntry32.szExePath) - 4); for (int i = 0;i < 4;i++) { if ((szExt[i] >= 'a')&&(szExt[i] <= 'z')) { szExt[i] = szExt[i] - 0x20; } } if (!strcmp(szExt, ".EXE")) { CloseHandle(hSnapShot); return ModuleEntry32.hModule; } } while (Module32Next(hSnapShot, &ModuleEntry32)); } CloseHandle(hSnapShot); return NULL; } // 显示错误信息 DWORD GetLastErrorBox(HWND hWnd, LPSTR lpTitle) { LPVOID lpv; DWORD dwRv; if (GetLastError() == 0) return 0; dwRv = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), (LPSTR)&lpv, 0, NULL); MessageBox(hWnd, (LPCSTR)lpv, lpTitle, MB_OK); if(dwRv) LocalFree(lpv); SetLastError(0); return dwRv; }