Find the address of a DLL in memory

Question

I have just been getting into low level programming (reading/writing to memory that sort of thing) and have run into an issue i cannot find an answer to.

The piece of information i want to read from has an address that is relative to a DLL loaded in memory e,g, it is at mydll.dll + 0x01234567. the problem im having is that the dll moves around in memory but the offset stays the same. Is there anyway to find out the location of this dll in memory.

I am currently trying to do this preferably in c# but i would be grateful for help in most highish level languages.

Answer 1

i tried the method Rob Walker suggested and could not get it to work (i think it did not work because the dll was loaded as part of another executable so it could not be found so easily).

I did however discover a solution that worked for me so here it is:

i created an object of type Process

String appToHookTo = "applicationthatloadedthedll";
Process[] foundProcesses = Process.GetProcessesByName(appToHookTo)
ProcessModuleCollection modules = foundProcesses[0].Modules;
ProcessModule dllBaseAdressIWant = null;
foreach (ProcessModule i in modules) {
if (i.ModuleName == "nameofdlliwantbaseadressof") {
                    dllBaseAdressIWant = i;
                }
        }

now you have the module you can just do dllbaseAdressIWant.BaseAddress to get the value.

Hope this helps

Answer 2

From a Win32 perspective you need to use the GetModuleHandle and GetModuleInformation functions. These let you look the module handle up by name, and then retrieve information, including the base address about that handle.

It should be straight forward to wrap these APIs using the standard P/Invoke wrappers.