EXE或DLL映像基址

Question

有没有办法在C++/windows中获取exe/DLL映像基址？谢谢 :)

Answer 1

如果将二进制文件加载到您自己的进程中,则可以使用GetModuleHandle.它返回一个HMODULE,但这与HINSTANCE和基地址相同.

如果您想知道二进制文件更喜欢哪个基址,您应该读取PE头.请参阅此处并在IMAGE_OPTIONAL_HEADER中查找ImageBase字段.

编辑:GetModuleHandle(NULL)将返回当前进程的基址(尽管指定的类型为HMODULE).

Answer 2

我发现获取模块基地址（和内存中图像大小）最方便、最准确的方法是通过 GetModuleInformation（包括 psapi.h，链接到 psapi.lib）：

MODULEINFO module_info; memset(&module_info, 0, sizeof(module_info));
if (GetModuleInformation(GetCurrentProcess(), hModule, &module_info, sizeof(module_info))) {
    DWORD module_size = module_info.SizeOfImage;
    BYTE * module_ptr = (BYTE*)module_info.lpBaseOfDll;
    // ...
}

Answer 3

如果要检查磁盘上的DLL或EXE文件,请使用dumpbin实用程序.它与Visual Studio或SDK一起安装.

示例dumpbin/headers的输出:

FILE HEADER VALUES
     14C machine (i386)
       6 number of sections
306F7A22 time date stamp Sun Oct 01 22:35:30 1995
       0 file pointer to symbol table
     1D1 number of symbols
      E0 size of optional header
     302 characteristics
            Executable
            32 bit word machine
            Debug information stripped

OPTIONAL HEADER VALUES
     10B magic #
    2.60 linker version
    1E00 size of code
    1E00 size of initialized data
       0 size of uninitialized data
    1144 address of entry point
    1000 base of code
    3000 base of data
         ----- new -----
 **2BB0000 image base**  <--- This is what you are looking for
    1000 section alignment
     200 file alignment
       3 subsystem (Windows CUI)
    4.00 operating system version
    4.00 image version
    3.50 subsystem version
    8000 size of image
     400 size of headers
    62C8 checksum
  100000 size of stack reserve
    1000 size of stack commit
  100000 size of heap reserve
    1000 size of heap commit
       0 [       0] address [size] of Export Directory
    5000 [      3C] address [size] of Import Directory
    6000 [     394] address [size] of Resource Directory
       0 [       0] address [size] of Exception Directory
       0 [       0] address [size] of Security Directory
    7000 [     21C] address [size] of Base Relocation Directory
    3030 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
     268 [      44] address [size] of Bound Import Directory
    50A0 [      64] address [size] of Import Address Table Directory
       0 [       0] address [size] of Reserved Directory
       0 [       0] address [size] of Reserved Directory
       0 [       0] address [size] of Reserved Directory

SECTION HEADER #1
   .text name
    1D24 virtual size
    1000 virtual address
    1E00 size of raw data
     400 file pointer to raw data
       0 file pointer to relocation table
    3C20 file pointer to line numbers
       0 number of relocations
     37E number of line numbers
60000020 flags
         Code
         (no align specified)
         Execute Read

Answer 4

如果您想从 DLL/EXE 中获取自己的 ImageBase 地址，那么如何：

#include <winnt.h>

EXTERN_C IMAGE_DOS_HEADER __ImageBase;