通过PEB获取模块基址

PEB结构

typedef struct _PEB { // Size: 0x1D8/*000*/ UCHAR InheritedAddressSpace;/*001*/ UCHAR ReadImageFileExecOptions;/*002*/ UCHAR BeingDebugged;/*003*/ UCHAR SpareBool; // Allocation size/*004*/ HANDLE Mutant;/*008*/ HINSTANCE ImageBaseAddress; // Instance/*00C*/ VOID *DllList;/*010*/ PPROCESS_PARAMETERS *ProcessParameters;/*014*/ ULONG SubSystemData;/*018*/ HANDLE DefaultHeap;/*01C*/ KSPIN_LOCK FastPebLock;/*020*/ ULONG FastPebLockRoutine;/*024*/ ULONG FastPebUnlockRoutine;/*028*/ ULONG EnvironmentUpdateCount;/*02C*/ ULONG KernelCallbackTable;/*030*/ LARGE_INTEGER SystemReserved;/*038*/ ULONG FreeList;/*03C*/ ULONG TlsExpansionCounter;/*040*/ ULONG TlsBitmap;/*044*/ LARGE_INTEGER TlsBitmapBits;/*04C*/ ULONG ReadOnlySharedMemoryBase;/*050*/ ULONG ReadOnlySharedMemoryHeap;/*054*/ ULONG ReadOnlyStaticServerData;/*058*/ ULONG AnsiCodePageData;/*05C*/ ULONG OemCodePageData;/*060*/ ULONG UnicodeCaseTableData;/*064*/ ULONG NumberOfProcessors;/*068*/ LARGE_INTEGER NtGlobalFlag; // Address of a local copy/*070*/ LARGE_INTEGER CriticalSectionTimeout;/*078*/ ULONG HeapSegmentReserve;/*07C*/ ULONG HeapSegmentCommit;/*080*/ ULONG HeapDeCommitTotalFreeThreshold;/*084*/ ULONG HeapDeCommitFreeBlockThreshold;/*088*/ ULONG NumberOfHeaps;/*08C*/ ULONG MaximumNumberOfHeaps;/*090*/ ULONG ProcessHeaps;/*094*/ ULONG GdiSharedHandleTable;/*098*/ ULONG ProcessStarterHelper;/*09C*/ ULONG GdiDCAttributeList;/*0A0*/ KSPIN_LOCK LoaderLock;/*0A4*/ ULONG OSMajorVersion;/*0A8*/ ULONG OSMinorVersion;/*0AC*/ USHORT OSBuildNumber;/*0AE*/ USHORT OSCSDVersion;/*0B0*/ ULONG OSPlatformId;/*0B4*/ ULONG ImageSubsystem;/*0B8*/ ULONG ImageSubsystemMajorVersion;/*0BC*/ ULONG ImageSubsystemMinorVersion;/*0C0*/ ULONG ImageProcessAffinityMask;/*0C4*/ ULONG GdiHandleBuffer[0x22];/*14C*/ ULONG PostProcessInitRoutine;/*150*/ ULONG TlsExpansionBitmap;/*154*/ UCHAR TlsExpansionBitmapBits[0x80];/*1D4*/ ULONG SessionId;} PEB, *PPEB;

PEB_LDR_DATA结构

typedef struct _PEB_LDR_DATA{　ULONG Length; // +0x00　BOOLEAN Initialized; // +0x04　PVOID SsHandle; // +0x08　LIST_ENTRY InLoadOrderModuleList; // +0x0c　LIST_ENTRY InMemoryOrderModuleList; // +0x14　LIST_ENTRY InInitializationOrderModuleList;// +0x1c} PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24

LDR_DATA_TABLE_ENTRY 结构

typedef struct _LDR_DATA_TABLE_ENTRY  {      LIST_ENTRY InLoadOrderLinks;      LIST_ENTRY InMemoryOrderLinks;      LIST_ENTRY InInitializationOrderLinks;      PVOID DllBase;      PVOID EntryPoint;      DWORD SizeOfImage;      UNICODE_STRING FullDllName;      UNICODE_STRING BaseDllName;      DWORD Flags;      WORD LoadCount;      WORD TlsIndex;      LIST_ENTRY HashLinks;      PVOID SectionPointer;      DWORD CheckSum;      DWORD TimeDateStamp;      PVOID LoadedImports;      PVOID EntryPointActivationContext;      PVOID PatchInformation;  }LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;  

获取模块的基址代码

void _getModuleBaseAddr(){    void *PEB = NULL,        *Ldr = NULL,        *Flink = NULL,        *p = NULL,        *BaseAddress = NULL,        *FullDllName = NULL;    __asm    {        mov eax, fs:[0x30]        mov PEB, eax    }    Ldr = (PVOID)*((PDWORD)((DWORD)PEB + 0x0c));    Flink = (PVOID)*((PDWORD)((DWORD)Ldr + 0x14));    p = Flink;    do    {        BaseAddress = (PVOID)*((PDWORD)((DWORD)p + 0x10));        FullDllName = (PVOID)*((PDWORD)((DWORD)p + 0x20));        wprintf(L"FullDllName is %s\n", FullDllName);        printf("BaseAddress is %x\n", BaseAddress);        p = (PVOID)*((PDWORD)p);    } while (Flink != p);}