Finding the memory address of a function [modified]
-
Hiya everyone, I was searching for some way to find the memory address of a function such as TerminateProcess. Is there a way to do this? I've read something about the VirtualQuery function, but I don't exactly understand how that can be applied. Could anyone give me a few pointers? (and maybe somewhere I can learn some more about windows memory management.) Thanks. :) EDIT: this is what I'm reading right now.
modified on Thursday, September 24, 2009 2:23 PM
-
Hiya everyone, I was searching for some way to find the memory address of a function such as TerminateProcess. Is there a way to do this? I've read something about the VirtualQuery function, but I don't exactly understand how that can be applied. Could anyone give me a few pointers? (and maybe somewhere I can learn some more about windows memory management.) Thanks. :) EDIT: this is what I'm reading right now.
modified on Thursday, September 24, 2009 2:23 PM
hxhl95 wrote:
I was searching for some way to find the memory address of a function such as TerminateProcess.
Something like:
HMODULE hModule = LoadLibrary(_T("kernel32.dll"));
typedef BOOL (*PROC)(HANDLE, UINT);
PROC proc = (PROC) GetProcAddress(hModule, "TerminateProcess");is much less succinct than Stuart's answer.
"Old age is like a bank account. You withdraw later in life what you have deposited along the way." - Unknown
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
modified on Thursday, September 24, 2009 4:58 PM
-
Hiya everyone, I was searching for some way to find the memory address of a function such as TerminateProcess. Is there a way to do this? I've read something about the VirtualQuery function, but I don't exactly understand how that can be applied. Could anyone give me a few pointers? (and maybe somewhere I can learn some more about windows memory management.) Thanks. :) EDIT: this is what I'm reading right now.
modified on Thursday, September 24, 2009 2:23 PM
If you have (for example) TerminateProcess's definition pulled in via a header, then
&TerminateProcessis sufficient...Java, Basic, who cares - it's all a bunch of tree-hugging hippy cr*p
-
Hiya everyone, I was searching for some way to find the memory address of a function such as TerminateProcess. Is there a way to do this? I've read something about the VirtualQuery function, but I don't exactly understand how that can be applied. Could anyone give me a few pointers? (and maybe somewhere I can learn some more about windows memory management.) Thanks. :) EDIT: this is what I'm reading right now.
modified on Thursday, September 24, 2009 2:23 PM
hxhl95 wrote:
I was searching for some way to find the memory address of a function
hxhl95 wrote:
Could anyone give me a few pointers?
:-D
If the Lord God Almighty had consulted me before embarking upon the Creation, I would have recommended something simpler. -- Alfonso the Wise, 13th Century King of Castile.
This is going on my arrogant assumptions. You may have a superb reason why I'm completely wrong. -- Iain Clarke
[My articles] -
hxhl95 wrote:
I was searching for some way to find the memory address of a function
hxhl95 wrote:
Could anyone give me a few pointers?
:-D
If the Lord God Almighty had consulted me before embarking upon the Creation, I would have recommended something simpler. -- Alfonso the Wise, 13th Century King of Castile.
This is going on my arrogant assumptions. You may have a superb reason why I'm completely wrong. -- Iain Clarke
[My articles] -
If you have (for example) TerminateProcess's definition pulled in via a header, then
&TerminateProcessis sufficient...Java, Basic, who cares - it's all a bunch of tree-hugging hippy cr*p
Thanks (to both you and DavidCrow, but I can't reply to two threads with a single reply...), I'll try that. Can't believe I didn't think of that... :doh: EDIT: Okay. So now if I hook TerminateProcess with my own dll, shouldn't the value of &TerminateProcess differ from the address of TerminateProcess in the kernel32.dll? I don't see any difference in the two addresses right now..:confused:
modified on Thursday, September 24, 2009 6:08 PM
-
Thanks (to both you and DavidCrow, but I can't reply to two threads with a single reply...), I'll try that. Can't believe I didn't think of that... :doh: EDIT: Okay. So now if I hook TerminateProcess with my own dll, shouldn't the value of &TerminateProcess differ from the address of TerminateProcess in the kernel32.dll? I don't see any difference in the two addresses right now..:confused:
modified on Thursday, September 24, 2009 6:08 PM
hxhl95 wrote:
but I can't reply to two threads with a single reply..
You can make a reply pointing to the other one's address... (sorry for the bad pun) :)
If the Lord God Almighty had consulted me before embarking upon the Creation, I would have recommended something simpler. -- Alfonso the Wise, 13th Century King of Castile.
This is going on my arrogant assumptions. You may have a superb reason why I'm completely wrong. -- Iain Clarke
[My articles]