Home/ Questions/Q 3850588
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T17:01:57+00:00

The following is a part of a debugger class. I’ve got the following code

  • 0

The following is a part of a debugger class. I’ve got the following code for enumerating processes in debugee. First it enumerates and loads handles of the existing debugee’s processes into an array. Then I’m trying to get an address of particular function in particular module. In this case i’m trying to get address of printf() out of msvcr100.dll


def enumerate_module(self,pid):



    lphModule = (c_void_p * 1024)()
    lpcbNeeded = c_ulong(0)

    if psapi.EnumProcessModules(self.h_process,lphModule,sizeof(c_void_p)*1024, byref(lpcbNeeded)):
        print "[*] EnumProcessModules: %d modules detected" % int(lpcbNeeded.value / sizeof(c_void_p))
        for i in range(int(lpcbNeeded.value / sizeof(c_void_p))):
            FileName = ""
            ReadBuffer = create_string_buffer(MAX_PATH)
            psapi.GetModuleFileNameExA(self.h_process,lphModule[i],ReadBuffer,MAX_PATH)
            FileName += ReadBuffer.value
            print "[*] %d - 0x%08x - %s" % (i,lphModule[i],FileName)
        address = kernel32.GetProcAddress(lphModule[3],"printf")
        if address == False:
            error = GetLastError()
            print "[*] GetProcAddress() ERROR: %d - %s" % (error, FormatError(error))    
        print "[**] Getting printf() address is: 0x%008x" % address
        return True
    else:
        error = GetLastError()
        print "[*] GetModuleHandleA: %d - %s" % (error, FormatError(error))
        return False





For some odd reason I cannot get it to work. GetPorcAddress() returns:


ERROR: 126 - The specified module could not be found.



Any ideas???



PS.
This might clarify my question a little:
Script output



Enter the PID of the process to attach to: 2476
Opening process: 2476
[*] DebugActiveProcess: 0 - The operation completed successfully.
[*] EnumProcessModules: 4 modules detected
[*] 0 - 0x00400000 - printf.exe
[*] 1 - 0x7c900000 - ntdll.dll
[*] 2 - 0x7c800000 - kernel32.dll
[*] 3 - 0x78aa0000 - MSVCR100.dll
[*] GetProcAddress() ERROR: 126 - The specified module could not be found.
[**] Getting printf() address is: 0x00000000
[*] Finished debugging. Exitng...



As you can see msvcr100.dll is loaded at 0x78aa0000. As far as I understand

it should have printf() within its address spaces, where I should be able to

get its address. Moreover, I loaded up printf.exe in OllyDbg and it showed the same

thing that you see on my script's output, and I was able to see printf() in

msvcr100.dll's exports list.
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    GetProcAddress gets the address of a function in a DLL loaded in your process, not in a different process. You should check out the Debug Help Library.

    Per your request about GetProcAddress, my references:

    GetProcAddress

    hModule [in]
    A handle to the DLL module that contains the function or variable. The LoadLibrary, LoadLibraryEx, or GetModuleHandle function returns this handle.

    LoadLibrary

    Loads the specified module into the address space of the calling process….

    LoadLibraryEx

    Loads the specified module into the address space of the calling process….

    GetModuleHandle

    Retrieves a module handle for the specified module. The module must have been loaded by the calling process.

    • 0