JoeT
Reputation: 35
Find base address for a module using WinDbg
How can I determine the base address of a particular module (say, for instance, ntoskrnl.exe) in WinDbg? Is that possible?
Upvotes: 0
Views: 3603
Answers (1)
Thomas Weller
Reputation: 59410
lm (list modules) shows the information for DLLs. You can filter by name using lm m <name>, e.g.
0:000> lm m ntdll
Browse full module list
start end module name
77b90000 77d33000 ntdll (pdb symbols) d:\debug\symbols\wntdll.pdb\1074039C87B27BF997A06A9E2B1C84E61\wntdll.pdb
The number in the "start" column is the base address. You can confirm that it's just a different term by using !lmi. The output of that command explicitly mentions "Base address":
0:000> !lmi ntdll
Loaded Module Info: [ntdll]
Module: ntdll
Base Address: 77b90000
[...]
In fact, the name of the module itself can be used as the base address, so you don't actually need to copy/paste, type or remember the base address. E.g. instead of
0:000> db 77b90000 L2
77b90000 4d 5a MZ
you can also use
0:000> db ntdll L2
77b90000 4d 5a MZ
(actually the example with !lmi used that trick already)
Upvotes: 2
Related Questions
- How to calculate the address of a function using the base address of ntoskrnl.exe
- How do I get the address to kernel modules nt and win32k?
- C++ Get Module Base Address for 64bit Application
- How to get a base address of a module in C++ on Os X
- Windbg + IDA: calculate an address in a module
- Having issues getting the module base address C++
- windbg:Getting source code file at give address like "u address"
- Windbg !address command result
- module handle through base address
- WinDbg using known module