QB64.org Forum

Active Forums => QB64 Discussion => Topic started by: SpriggsySpriggs on February 18, 2021, 01:04:57 pm

Title: NOVARSEG, you wanted addresses of DLLs?
Post by: SpriggsySpriggs on February 18, 2021, 01:04:57 pm

@NOVARSEG

I seem to recall from a few months back you mentioned that you wanted a way to retrieve the addresses of the DLLs in memory. I have some code that I wrote up here that will find those base addresses for you. This sample will only retrieve the addresses for the current process, the exe itself. If you want to find addresses from another process then you will need to change the zero in the function call of the CreateToolhelp32Snapshot%& to the PID of the process you want.

A screenshot of sample output:
  [ This attachment cannot be displayed inline in 'Print Page' view ]  

And the code:

Code: QB64: [Select]

1. Option _Explicit
2. $Console:Only
3. _Dest _Console
4.  
5. $If VERSION < 1.5 Then
6.     $ERROR Must be v1.5 or greater to compile
7. $End If
8.  
9. Type MODULEENTRY32
10.     dwSize As Long
11.     th32ModuleID As Long
12.     th32ProcessID As Long
13.     GlblcntUsage As Long
14.     ProccntUsage As Long
15.     $If 64BIT Then
16.         padding As Long
17.     $End If
18.     modBaseAddr As _Offset
19.     modBaseSize As Long
20.     $If 64BIT Then
21.         padding2 As Long
22.     $End If
23.     hModule As _Offset
24.     szModule As String * 256
25.     $If 64BIT Then
26.         padding3 As Long
27.     $End If
28.     szExePath As String * 260
29. End Type
30.  
31. Const TH32CS_INHERIT = &H80000000
32. Const TH32CS_SNAPHEAPLIST = &H00000001
33. Const TH32CS_SNAPMODULE = &H00000008
34. Const TH32CS_SNAPMODULE32 = &H00000010
35. Const TH32CS_SNAPPROCESS = &H00000002
36. Const TH32CS_SNAPTHREAD = &H00000004
37. Const TH32CS_SNAPALL = TH32CS_SNAPHEAPLIST Or TH32CS_SNAPMODULE Or TH32CS_SNAPPROCESS Or TH32CS_SNAPTHREAD
38.  
39. Const TOM_TRUE = -1
40. Const TOM_FALSE = 0
41.  
42. Const MAX_MODULE_NAME32 = 255
43. Const MAX_PATH = 260
44.  
45. Declare Dynamic Library "Kernel32"
46.     Function CreateToolhelp32Snapshot%& (ByVal dwFlags As Long, Byval th32ProcessID As Long)
47.     Function Module32First% (ByVal hSnapshot As _Offset, Byval lpme As _Offset)
48.     Function Module32Next% (ByVal hSnapshot As _Offset, Byval lpme As _Offset)
49.     Function CloseHandle% (ByVal hObject As _Offset)
50.     Function GetLastError& ()
51. End Declare
52.  
53. 'Declare Library
54. '    Function getpid& ()
55. 'End Declare
56.  
57. Dim As _Offset hProcessSnap
58. Dim As MODULEENTRY32 me
59. Dim As Integer ret
60.  
61. hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0)
62. 'Print hProcessSnap, getpid
63.  
64. me.dwSize = Len(me)
65.  
66. ret = Module32First(hProcessSnap, _Offset(me))
67. 'Print GetLastError
68.  
69. While ret <> 0
70.     Print me.modBaseAddr, me.szModule
71.     ret = Module32Next(hProcessSnap, _Offset(me))
72. Wend
73. Dim As Integer closeh
74. closeh = CloseHandle(hProcessSnap)
75. Sleep

Title: Re: NOVARSEG, you wanted addresses of DLLs?
Post by: SMcNeill on February 18, 2021, 05:06:31 pm

One suggestions Spriggsy -- you want want to get in the habit of making your padding AS STRING * SIZE.  Here, it's not going to matter as it's just unused padding, but getting in the habit might keep things standardized for you in the future if you need some odd size padding. 

Say for example that the data structure is an integer, then a byte, then a long....   You'd need padding after that byte, and it'd need to be 5 characters worth.  Can't use a LONG for that, but if you're in the auto-habit of typing PaddingX AS LONG, your brain might automatically insert that into your code, and then you'd have the dangest time finding and fixing that type of glitch as your eyes will just skip over it, as your brain assures you, you've already made the adjustment there...   (Trust me, I speak from experience, as I've spent many an hour not being able to find such a simple problem in my own code!)

What variable type you use for the space isn't really going to matter to the code -- be it 4 bytes, 2 integers, 1 long, a single, or a string * 4 -- but the habit of typing out the length manually might save you some serious debugging issues in the future.  (And besides, it'd allow for an uniform padding syntax so all the code ends up looking the same.)   ;)

Title: Re: NOVARSEG, you wanted addresses of DLLs?
Post by: SpriggsySpriggs on February 18, 2021, 07:48:32 pm

@SMcNeill

I purposely checked the struct size and variable sizes beforehand and made sure the padding went to the right spot. I choose to use a long so far because, so far, I've been only needing 4 bytes in those spots. If I need some strange padding size then I might use string. But since I know I needed 4 bytes in each spot it was logical to use the long. But yeah, I've been printing out struct sizes in C++ to find the size of the struct and size of each variable in the type. Of course, the next logical step would be to print the offset of each variable in the struct to see where each one starts. This would tell the exact number of bytes in-between each variable.

Text Only | Text with Attachments