Page 1 of 1

module32first/..next don't seem to work on windows7

PostPosted: Tue Jun 01, 2010 7:06 pm
by mikky
hi.
i want to make a trainer in masm. i'm stuck retrieving the module base address of a dll. in windows xp all works fine, but in windows7 do not work. i don't know why
here's the routine i use:

GetModuleBaseAddress proc iProcID:DWORD, DLLName:DWORD
LOCAL hSnap:DWORD
LOCAL xModule:MODULEENTRY32
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, iProcID
mov hSnap,eax
mov xModule.dwSize, sizeof xModule
invoke Module32First, hSnap, addr xModule
test eax, eax
jnz getdll
mov eax, 0
ret
getdll:
invoke Module32Next, hSnap, addr xModule
test eax, eax
jnz checkdll
mov eax, 0
ret
checkdll:
invoke lstrcmpi, DLLName, addr xModule.szModule
test eax, eax
jnz getdll
mov eax, xModule.modBaseAddr
ret
GetModuleBaseAddress endp


i tried to set the SeDebugPrivilege, but still the routine puts 0 in eax(no success). what could be the cause?

Re: module32first/..next don't seem to work on windows7

PostPosted: Wed Jun 09, 2010 8:01 am
by denispn
Hi, I also need to get the module base address of a dll in memory.

I want to create the pointer bellow, but every time i start the process, Engine.dll is in a different memory address.
[[[[Engine.dll+0x002B1B98]+0xB8]+0x24]+0xDC]+0x3DC

Using (coded in fasm):

Code: Select all
invoke GetModuleHandleA,Name_of_DLL
        mov     [BaseAddress],eax


Does not work. Please, help.

Thanks,
ctl3d32

Re: module32first/..next don't seem to work on windows7

PostPosted: Wed Jun 09, 2010 1:10 pm
by L. Spiro
mikky wrote:hi.
i want to make a trainer in masm. i'm stuck retrieving the module base address of a dll. in windows xp all works fine, but in windows7 do not work. i don't know why
here's the routine i use:

GetModuleBaseAddress proc iProcID:DWORD, DLLName:DWORD
LOCAL hSnap:DWORD
LOCAL xModule:MODULEENTRY32
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, iProcID
mov hSnap,eax
mov xModule.dwSize, sizeof xModule
invoke Module32First, hSnap, addr xModule
test eax, eax
jnz getdll
mov eax, 0
ret
getdll:
invoke Module32Next, hSnap, addr xModule
test eax, eax
jnz checkdll
mov eax, 0
ret
checkdll:
invoke lstrcmpi, DLLName, addr xModule.szModule
test eax, eax
jnz getdll
mov eax, xModule.modBaseAddr
ret
GetModuleBaseAddress endp


i tried to set the SeDebugPrivilege, but still the routine puts 0 in eax(no success). what could be the cause?



#1:
You skipped the very first module, which is always the module of the target process itself. You never compared the string returned by Module32First().

#2:
lstrcmpi() does not accept a DWORD and a TCHAR *. It accepts a TCHAR * and a TCHAR *.
Even if “DWORD” is just to indicate the size of the data, pointers are not sizeof( DWORD ), they are sizeof( UINT_PTR ).
viewtopic.php?f=30&t=5519


denispn, that code would only work if your code is injected into the target process itself.
Assuming it is, there is no problem with the code you posted, except for using GetModuleHandleA() instead of GetModuleHandleW().


L. Spiro

Re: module32first/..next don't seem to work on windows7

PostPosted: Wed Jun 09, 2010 11:55 pm
by denispn
Hi!

Didn't get it.

I'm writting a .dll to inject into a game process, but the .exe of the game calls Engine.dll, and it's address in memory is used in the pointer i wrote before. How do i get the base address of Engine.dll.

When i use "call GetModuleHandle("Engine.dll")", it returns me an address that is not the address of Engine.dll in memory, but of my own .dll.

Thanks

Re: module32first/..next don't seem to work on windows7

PostPosted: Thu Jun 10, 2010 8:43 am
by L. Spiro
Walk the modules as shown above in mikky’s code (with corrections).


L. Spiro