Change Module Base Address at Runtime

Created the Monday 18 July 2022. Updated 8 months, 1 week ago.

It is possible to change the DllBase of a module at runtime. This can trick debugging and analysis tools such as IDA or Cheat Engine into thinking a module's base is actually at another address.

This is achieved by accessing the process PEB's member 'Ldr', in particular it has a member InOrderMemoryLinks which we can iterate through to get a list of the process's modules. On each iteration we get a PLDR_DATA_TABLE_ENTRY structure to work with which contains a member PVOID DllBase, that can be overwritten with the new module base address.

Technique Identifier

U1239

Code Snippets

#include <Windows.h>
#include <Winternl.h>
#include <stdint.h>

bool ChangeModuleDllBase(const wchar_t* szModule, uint64_t newAddress)
{
	PPEB PEB = (PPEB)__readgsqword(0x60);
	_LIST_ENTRY* f = PEB->Ldr->InMemoryOrderModuleList.Flink;
	bool Found = FALSE;
	int count = 0;

	while (!Found && count < 256)
	{
		PLDR_DATA_TABLE_ENTRY dataEntry = CONTAINING_RECORD(f, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);

		if (wcsstr(dataEntry->FullDllName.Buffer, szModule))
		{
			dataEntry->DllBase = (PVOID)newAddress;
			Found = TRUE;
			return true;
		}

		f = dataEntry->InMemoryOrderLinks.Flink;
		count++;
	}

	return false;
}

int main()
{
    ChangeModuleDllBase(L"YourProgram.exe", 0x123456789);
    return 0;
}