Python - How to get the start/base address of a process?

Question

How do I get the start/base address of a process? Per example Solitaire.exe (solitaire.exe+BAFA8)

#-*- coding: utf-8 -*-
import ctypes, win32ui, win32process         


        

Answer 1

The HMDOULE value of GetModuleHandle is the base address of the loaded module and is probably the address you need to compute the offset.

If not, that address is the start of the header of the module (DLL/EXE), which can be displayed with the dumpbin utility that comes with Visual Studio or you can interpret it yourself using the Microsoft PE and COFF Specification to determine the AddressOfEntryPoint and BaseOfCode as offsets from the base address. If the base address of the module isn't what you need, one of these two is another option.

Example:

>>> BaseAddress = win32api.GetModuleHandle(None) + 0xBAFA8
>>> print '{:08X}'.format(BaseAddress)
1D0BAFA8

If The AddressOfEntryPoint or BaseOfCode is needed, you'll have to use ctypes to call ReadProcessMemory following the PE specification to locate the offsets, or just use dumpbin /headers solitaire.exe to learn the offsets.