Process Module Base Address not Being Obtained

[SDarkMagic]

So I'm trying to use this module, (specifically the GCC branch) and whenever I try to use the GetModuleBase function, it always returns -1. I have tried it with the example2 program, and it still has the same issue. If this is just me being dumb, please let me know, and if you don't feel like fixing it, do you have any other modules that you could recommend to use instead of this one?

[T-vK]

I think I saw another C++ library that was similar to this one, but I can't find it anymore.

Did you run your program with admin privileges?
You mention you used example2. Did you ensure that there is a process that is called notepad.exe?

[SDarkMagic]

Yes, I have tried running as admin, and yes I have a process called notepad.exe

[T-vK]

You should check GetLastError after every function call and post the results here.
Also, can you make sure that Memory.GetProcessId returns a valid process id and that OpenProcess retuirns a valid process handle?
Also, please check if Memory.GetDebugPrivileges successfully enables SeDebugPrivilege on your process. This can be done using https://github.com/processhacker/processhacker

[SDarkMagic]

SeDebugPrivelege gets enabled successfully. Memory.GetProcessId also functions correctly and returns a valid process ID, same goes for OpenProcess. When I run GetLastError it returns 0 up through Memory.GetModuleBase, upon which it starts to return 299.

[T-vK]

I think the error comes from EnumProcessModules. You could try replacing all occurrences of EnumProcessModules with EnumProcessModulesEx which has an additional parameter (the 5th parameter) which can be used to specify what kinds of modules to enumerate. Possible values for this parameter are:

• LIST_MODULES_32BIT
• LIST_MODULES_64BIT
• LIST_MODULES_ALL
• LIST_MODULES_DEFAULT

Try if one of these fix the issue.

More info on EnumProcessModulesEx can be found here: https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocessmodulesex

I think it's possible that notepad.exe used to be 32-bit at the time I tested this and that it's now 64-bit and thus doesn't work anymore by simply using EnumProcessModules, but I don't know for sure.

[SDarkMagic]

I tried doing this, but it kept yelling at me about EnumProcessModulesEx not being defined. I looked into it, but I couldn't figure out how to fix this issue. Stranger still is that Windows.h is still being included in the file.

[T-vK]

That's weird. You might have to install a newer version of the Windows SDK and then maybe also tell GCC to use that newer version if that doesn't happen automatically.

[SDarkMagic]

I tried looking into doing that, but I couldn't quite figure out how. Is there a guide for that that you could point me to by any chance?

[T-vK]

I think you just need to download an SDK installer and then install it.
https://developer.microsoft.com/en-us/windows/downloads/sdk-archive/

But it might depend on what version of Windows you use and how you have installed GCC.

[SDarkMagic]

So I've been tinkering with stuff trying to get this to work for a while, and I decided to have it output the current debug privelege value to the console, and apparently it's failing to set the proper priveleges. I also went in and uncomment the line std::cout << "Failed to enable privilege, error:\n>> " << GetLastError() << std::endl;, and sure enough it's throwing an error 1300.