Memory-Hacking-Class icon indicating copy to clipboard operation
Memory-Hacking-Class copied to clipboard
verified publisher icon T-vK

Process Module Base Address not Being Obtained

Open SDarkMagic opened this issue 4 years ago • 10 comments

So I'm trying to use this module, (specifically the GCC branch) and whenever I try to use the GetModuleBase function, it always returns -1. I have tried it with the example2 program, and it still has the same issue. If this is just me being dumb, please let me know, and if you don't feel like fixing it, do you have any other modules that you could recommend to use instead of this one?

SDarkMagic avatar May 14 '21 22:05 SDarkMagic

I think I saw another C++ library that was similar to this one, but I can't find it anymore.

Did you run your program with admin privileges? You mention you used example2. Did you ensure that there is a process that is called notepad.exe?

T-vK avatar May 15 '21 00:05 T-vK

Yes, I have tried running as admin, and yes I have a process called notepad.exe

SDarkMagic avatar May 15 '21 21:05 SDarkMagic

You should check GetLastError after every function call and post the results here. Also, can you make sure that Memory.GetProcessId returns a valid process id and that OpenProcess retuirns a valid process handle? Also, please check if Memory.GetDebugPrivileges successfully enables SeDebugPrivilege on your process. This can be done using https://github.com/processhacker/processhacker

T-vK avatar May 28 '21 11:05 T-vK

SeDebugPrivelege gets enabled successfully. Memory.GetProcessId also functions correctly and returns a valid process ID, same goes for OpenProcess. When I run GetLastError it returns 0 up through Memory.GetModuleBase, upon which it starts to return 299.

SDarkMagic avatar Jun 01 '21 23:06 SDarkMagic

I think the error comes from EnumProcessModules. You could try replacing all occurrences of EnumProcessModules with EnumProcessModulesEx which has an additional parameter (the 5th parameter) which can be used to specify what kinds of modules to enumerate. Possible values for this parameter are:

  • LIST_MODULES_32BIT
  • LIST_MODULES_64BIT
  • LIST_MODULES_ALL
  • LIST_MODULES_DEFAULT

Try if one of these fix the issue.

More info on EnumProcessModulesEx can be found here: https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocessmodulesex

I think it's possible that notepad.exe used to be 32-bit at the time I tested this and that it's now 64-bit and thus doesn't work anymore by simply using EnumProcessModules, but I don't know for sure.

T-vK avatar Jun 02 '21 08:06 T-vK

I tried doing this, but it kept yelling at me about EnumProcessModulesEx not being defined. I looked into it, but I couldn't figure out how to fix this issue. Stranger still is that Windows.h is still being included in the file.

SDarkMagic avatar Jun 08 '21 20:06 SDarkMagic

That's weird. You might have to install a newer version of the Windows SDK and then maybe also tell GCC to use that newer version if that doesn't happen automatically.

T-vK avatar Jun 09 '21 10:06 T-vK

I tried looking into doing that, but I couldn't quite figure out how. Is there a guide for that that you could point me to by any chance?

SDarkMagic avatar Jun 09 '21 22:06 SDarkMagic

I think you just need to download an SDK installer and then install it. https://developer.microsoft.com/en-us/windows/downloads/sdk-archive/

But it might depend on what version of Windows you use and how you have installed GCC.

T-vK avatar Jun 10 '21 08:06 T-vK

So I've been tinkering with stuff trying to get this to work for a while, and I decided to have it output the current debug privelege value to the console, and apparently it's failing to set the proper priveleges. I also went in and uncomment the line std::cout << "Failed to enable privilege, error:\n>> " << GetLastError() << std::endl;, and sure enough it's throwing an error 1300.

SDarkMagic avatar Jun 15 '21 18:06 SDarkMagic