Python - How to get the start/base address of a process?

Question

How do I get the start/base address of a process? Per example Solitaire.exe (solitaire.exe+BAFA8)

#-*- coding: utf-8 -*-
import ctypes, win32ui, win32process


PROCESS_ALL_ACCESS = 0x1F0FFF
HWND = win32ui.FindWindow(None,u"Solitär").GetSafeHwnd()
PID = win32process.GetWindowThreadProcessId(HWND)[1]
PROCESS = ctypes.windll.kernel32.OpenProcess(PROCESS_ALL_ACCESS,False,PID)

print PID, HWND,PROCESS

I would like to calculate a memory address and for this way I need the base address of solitaire.exe.

Here's a picture of what I mean:

Answer 1

You can use frida to easy do that. It is very useful to make hack and do some memory operation just like make address offset, read memory, write something to special memory etc... https://github.com/frida/frida

2021.08.01 update: Thanks for @Simas Joneliunas reminding

There some step using frida(windows):

1. Install frida by pip

pip install frida-tools # CLI tools
pip install frida       # Python bindings

2. Using frida api

session = frida.attach(processName)
script = session.create_script("""yourScript""")
script.load()
sys.stdin.read() #make program always alive
session.detach()

3. Edit your scrip(using JavaScrip)

var baseAddr = Module.findBaseAddress('solitaire.exe');
var firstPointer = baseAddr.add(0xBAFA8).readPointer();
var secondPointer = firstPointer.add(0x50).readPointer();
var thirdPointer = secondPointer.add(0x14).readPointer();
#if your target pointer points to a Ansi String, you can use #thirdPointer.readAnsiString() to read 

The official site https://frida.re/

Answer 2

I think the handle returned by GetModuleHandle is actually the base address of the given module. You get the handle of the exe by passing NULL.

Answer 3

The HMDOULE value of GetModuleHandle is the base address of the loaded module and is probably the address you need to compute the offset.

If not, that address is the start of the header of the module (DLL/EXE), which can be displayed with the dumpbin utility that comes with Visual Studio or you can interpret it yourself using the Microsoft PE and COFF Specification to determine the AddressOfEntryPoint and BaseOfCode as offsets from the base address. If the base address of the module isn't what you need, one of these two is another option.

Example:

>>> BaseAddress = win32api.GetModuleHandle(None) + 0xBAFA8
>>> print '{:08X}'.format(BaseAddress)
1D0BAFA8

If The AddressOfEntryPoint or BaseOfCode is needed, you'll have to use ctypes to call ReadProcessMemory following the PE specification to locate the offsets, or just use dumpbin /headers solitaire.exe to learn the offsets.

Answer 4

Install pydbg

Source: https://github.com/OpenRCE/pydbg

Unofficial binaries here: http://www.lfd.uci.edu/~gohlke/pythonlibs/#pydbg

from pydbg import *
from pydbg.defines import *

import struct

dbg = pydbg()

path_exe = "C:\\windows\\system32\\calc.exe"

dbg.load(path_exe, "-u amir")
dbg.debug_event_loop()

parameter_addr = dbg.context.Esp #(+ 0x8)

print 'ESP (address) ',parameter_addr


#attach not working under Win7 for me

#pid = raw_input("Enter PID:")
#print 'PID entered %i'%int(pid)
#dbg.attach(int(pid)) #attaching to running process not working

You might want to have a look at PaiMei, although it's not very active right now https://github.com/OpenRCE/paimei

I couldn't get attach() to work and used load instead. Pydbg has loads of functionality, such as read_proccess_memory, write_process_memory etc.

Note that you can't randomly change memory, because an operating system protects memory of other processes from your process (protected mode). Before the x86 processors there were some which allowed all processors to run in real mode, i.e. the full access of memory for every programm. Non-malicious software usually (always?) doesn't read/write other processes' memory.