Python - How to get the start/base address of a process?

Question

How do I get the start/base address of a process? Per example Solitaire.exe (solitaire.exe+BAFA8)

#-*- coding: utf-8 -*-
import ctypes, win32ui, win32process         


        

Answer 1

Install pydbg

Source: https://github.com/OpenRCE/pydbg

Unofficial binaries here: http://www.lfd.uci.edu/~gohlke/pythonlibs/#pydbg

from pydbg import *
from pydbg.defines import *

import struct

dbg = pydbg()

path_exe = "C:\\windows\\system32\\calc.exe"

dbg.load(path_exe, "-u amir")
dbg.debug_event_loop()

parameter_addr = dbg.context.Esp #(+ 0x8)

print 'ESP (address) ',parameter_addr


#attach not working under Win7 for me

#pid = raw_input("Enter PID:")
#print 'PID entered %i'%int(pid)
#dbg.attach(int(pid)) #attaching to running process not working

You might want to have a look at PaiMei, although it's not very active right now https://github.com/OpenRCE/paimei

I couldn't get attach() to work and used load instead. Pydbg has loads of functionality, such as read_proccess_memory, write_process_memory etc.

Note that you can't randomly change memory, because an operating system protects memory of other processes from your process (protected mode). Before the x86 processors there were some which allowed all processors to run in real mode, i.e. the full access of memory for every programm. Non-malicious software usually (always?) doesn't read/write other processes' memory.