hi,
I have studied BitBlaze for a while , then I saw your paper "DroidScope:Seamlessly Reconstructing OS and Dalvik Semantic Views for Dynamic Android Malware Analysis", and I downloaded the decaf source code , however, I have been learning the i386 platform ,so , I compiled the source code for i386 platform, and I have been trying to write some plugin based on the given plugin exmple. when I want to analyze a process in Win XP, I want to get the image base address dynamicly. I tried to use the parameters in "loadmainmodule_callback"-like function------procmod_Callback_Params, it's member lm.base, but the value is obviously not the image base address. Then I tried to use the function locate_module_byname( ) in procmod.cpp with the two parameters set to be targetname and targetpid, but the returned tmodinfo_t is NULL. I also tried to use the function get_proc_modules( ) in procmod.cpp to get all the modules of the process whose pid is targetpid, then try to find the mainmodule in the returned old_modinfo_t[ ] ,however, it's still failed.
Can you give me some hint about how to get the process's image base address?
thank you very much..
在 2013年1月30日星期三UTC+8上午1时03分42秒,Heng Yin写道: