Skip to content

Instantly share code, notes, and snippets.

@destroylq

destroylq/GetModuleBase.cpp

Created April 12, 2025 13:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save destroylq/0487a584d2c4681242ec28fe097dcd4d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save destroylq/0487a584d2c4681242ec28fe097dcd4d to your computer and use it in GitHub Desktop.
Download ZIP
模块基址其他获取方式
Raw
GetModuleBase.cpp
#include<Windows.h>
#include <stdio.h>
typedef struct _TEB
{
NT_TIB NtTib;
PVOID EnvironmentPointer;
DWORD ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PVOID ProcessEnvironmentBlock;
} TEB, * PTEB;
int main() {
PVOID ntdllBase = NULL;
PVOID kernerl32Base = NULL;
PVOID imageBase = NULL;
PTEB tebBase =(PTEB)__readgsqword(0x30);
PVOID stackBase = tebBase->NtTib.StackBase;
/*Find Base */
int num = 0;
char bp[] = "test";
DWORD64 pCur = (DWORD64)stackBase-1;
DWORD64 DllbaseArray[2] = { 0 };
while (true)
{
if (*(BYTE*)(pCur--) != '\x7f')
{
continue;
}
DllbaseArray[num] = (DWORD64)*(DWORD64 *)(pCur-0x4) ;
num++;
if (num == 2)
{
break;
}
}
DllbaseArray[0] &= 0xFFFFFFFFFFFF1000;
DllbaseArray[1] &= 0xFFFFFFFFFFFF1000;
printf("[+]Find ntdll kernerl32 Success: 0x%llx\t0x%llx\n",DllbaseArray[0],DllbaseArray[1]);
//find ntdll Base
pCur = DllbaseArray[0];
while (true) {
if (*(WORD*)pCur == '\x4D\x5A' && *(WORD*)(pCur + ((PIMAGE_DOS_HEADER)pCur)->e_lfanew) == '\x50\x45')
{
ntdllBase = (PVOID)pCur;
break;
}
pCur -= 0x1000;
}
printf("[+]Find ntdll Base: 0x%llx\n", ntdllBase);
//0x00007ffc46450000 k 0x00007FFC45D40000
pCur = DllbaseArray[1];
while (true) {
if (*(WORD*)pCur == '\x4D\x5A' && *(WORD*)(pCur + ((PIMAGE_DOS_HEADER)pCur)->e_lfanew) == '\x50\x45')
{
kernerl32Base = (PVOID)pCur;
break;
}
pCur -= 0x1000;
}
printf("[+]Find kernerl32 Base: 0x%x\n", kernerl32Base);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment