Finding the BaseAddress when ASLR is enabled

[ptr51]

Ok so first a sanity check that i got all this right.

It works like this: (correct me if im wrong, trying to make sure i got this right)

1. The offsets found by people in http://www.mmowned.com/forums/world-...mp-thread.html
labeld "not rebased" means that they are offsets grabbed from IDA and has a 0x400000 offset added. So you need to subtract 0x4000000 to rebase it to 0x0 for it to be usable.

2. On older versions of windows, ASLR is not used and you just add 0x1000 to a base 0x0 offset in order to skip the PE header and it should fly.

3. On windows versions where ASLR is used, you need to get this dynamic offset somehow and rebase the addresses with that.

And now the question:
How do you get the dynamic ASLR offset using c++/win32? i cant for the life of me find it anywhere on this forum.

Using .NET there seems to be just to use the ProcessModule.BaseAddress function, but what would be the equalent Win32 api way of doing it?

Some ppl says GetModuleHandle could get you this value if you load the module into your address space, i cant find a sample but i figure its ment to be like this:

LoadLibrary("D:\\games\\World of Warcraft_\\Wow.exe");
HMODULE baseAddress = GetModuleHandle("D:\\games\\World of Warcraft_\\Wow.exe");

While that works the returned handle of GetModuleHandle seems no good. It does return and works allright, but if i compare it to the value i get when i run a C# ProcessModule.BaseAddress app, its not the same.

[Cypher]

If you're injected:
GetModuleHandle(NULL);

If you're external:
CreateToolHelp32Snapshot and Module32First/Module32Next

P.S. The reason the call to GetModuleHandle is broken is probably because you're calling LoadLibrary on WoW... Why would you do that??

[Azzie2k8]

I think it is 0x400000

That code here is actually from someone else, if someone knows who it was I will credit him ASAP but I am using it and it works. btw not the best style but wth

Code:

#include <iostream>
static class Base
{
private: static DWORD GetModuleBaseAddress(DWORD,WCHAR*);
public: static DWORD Rebase(DWORD);
}Bas;

DWORD Base::Rebase(DWORD Offset)
{
	DWORD ret =(Offset + GetModuleBaseAddress(GetCurrentProcessId(),L"wow.exe"));
	return ret;
}

DWORD Base::GetModuleBaseAddress(DWORD iProcId, WCHAR* DLLName)
{
	HANDLE hSnap; // Process snapshot handle.
	MODULEENTRY32 xModule; // Module information structure.
	hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, iProcId); // Creates a module
	xModule.dwSize = sizeof(MODULEENTRY32); // Needed for Module32First/Next to work.

	if (Module32First(hSnap, &xModule)) // Gets the first module.
	{
		if (lstrcmpi (xModule.szModule, DLLName) == 0) // If this is the module we want...
		{
			CloseHandle(hSnap); // Free the handle.
			return (DWORD)xModule.modBaseAddr; // return the base address.
		}

		while (Module32Next(hSnap, &xModule)) // Loops through the rest of the modules.
		{
			if (lstrcmpi (xModule.szModule, DLLName) == 0) // If this is the module we want...
			{
				CloseHandle(hSnap); // Free the handle.

				return (DWORD)xModule.modBaseAddr; // return the base address.

			}
		}
	}

	CloseHandle(hSnap); // Free the handle.

	return 0; // If the result of the function is 0, it didn't find the base address.
}

[Cypher]

I think it is 0x400000

That code here is actually from someone else, if someone knows who it was I will credit him ASAP but I am using it and it works. btw not the best style but wth

Code:

#include <iostream>
static class Base
{
private: static DWORD GetModuleBaseAddress(DWORD,WCHAR*);
public: static DWORD Rebase(DWORD);
}Bas;

DWORD Base::Rebase(DWORD Offset)
{
	DWORD ret =(Offset + GetModuleBaseAddress(GetCurrentProcessId(),L"wow.exe"));
	return ret;
}

DWORD Base::GetModuleBaseAddress(DWORD iProcId, WCHAR* DLLName)
{
	HANDLE hSnap; // Process snapshot handle.
	MODULEENTRY32 xModule; // Module information structure.
	hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, iProcId); // Creates a module
	xModule.dwSize = sizeof(MODULEENTRY32); // Needed for Module32First/Next to work.

	if (Module32First(hSnap, &xModule)) // Gets the first module.
	{
		if (lstrcmpi (xModule.szModule, DLLName) == 0) // If this is the module we want...
		{
			CloseHandle(hSnap); // Free the handle.
			return (DWORD)xModule.modBaseAddr; // return the base address.
		}

		while (Module32Next(hSnap, &xModule)) // Loops through the rest of the modules.
		{
			if (lstrcmpi (xModule.szModule, DLLName) == 0) // If this is the module we want...
			{
				CloseHandle(hSnap); // Free the handle.

				return (DWORD)xModule.modBaseAddr; // return the base address.

			}
		}
	}

	CloseHandle(hSnap); // Free the handle.

	return 0; // If the result of the function is 0, it didn't find the base address.
}

I feel like my IQ went down just by reading that.

[Azzie2k8]

I feel like my IQ went down just by reading that.

mind explaining ? I am not using it anymore since I am injected but what is so wrong about it ? I mean okay it was a temporary class implementation but the GetModuleBaseAddress function should still work. Calling this from inside is not that smart ofc but still I feel like GetModuleBaseAddress is okay if you are out of process ?

[ptr51]

Thanks both of you for your help, this was what i was looking for.

[jjaa]

In C# injected, you can do:

Code:

Process.GetCurrentProcess().MainModule.BaseAddress

out of process, it should be the same api (without the current process function obviously).

[dook123]

In C# injected, you can do:

Code:

Process.GetCurrentProcess().MainModule.BaseAddress

out of process, it should be the same api (without the current process function obviously).

Excellent . Is there any reading on why this changed? Or anyone with a quick answer?

[_Mike]

Excellent . Is there any reading on why this changed? Or anyone with a quick answer?

Why what changed? Do you mean why you can't use GetCurrentProcess() if you're not injected? Isn't that obvious?

[dook123]

Why what changed? Do you mean why you can't use GetCurrentProcess() if you're not injected? Isn't that obvious?

Sorry, no I should have explained myself. That is obvious. What I dont know is why we suddenly have offsets that are rebased or whatever. Was it static before and now needs the base offset in memory and why did it change if anyone knows?

[mnbvc]

Sorry, no I should have explained myself. That is obvious. What I dont know is why we suddenly have offsets that are rebased or whatever. Was it static before and now needs the base offset in memory and why did it change if anyone knows?

i guess nobody knows...

[dook123]

i guess nobody knows...

Correct as usual

[Robske]

I think he's asking why Blizzard opted to use ASLR.

meh

[amadmonk]

Let's see, ASLR is a simple compile-time switch that costs Blizzard almost nothing, and which makes life harder for most of the clueless bot writers (ie, almost everybody).

No... no idea why they'd want to do that at all. :confused:

[Robske]

Let's see, ASLR is a simple compile-time switch that costs Blizzard almost nothing, and which makes life harder for most of the clueless bot writers (ie, almost everybody).

No... no idea why they'd want to do that at all. :confused:

There's addition and stuff, so scary!