Change Module Base Address at Runtime

Created the Monday 18 July 2022. Updated 3 weeks, 4 days ago.

It is possible to change the DllBase of a module at runtime. This can trick debugging and analysis tools such as IDA or Cheat Engine into thinking a module’s base is actually at another address.

This is achieved by accessing the process PEB’s member ‘Ldr’, in particular it has a member InOrderMemoryLinks which we can iterate through to get a list of the process’s modules. On each iteration we get a PLDR_DATA_TABLE_ENTRY structure to work with which contains a member PVOID DllBase, that can be overwritten with the new module base address.


Technique Identifier

U1239


Code Snippets

#include <Windows.h>
#include <Winternl.h>
#include <stdint.h>

bool ChangeModuleDllBase(const wchar_t* szModule, uint64_t newAddress)
{
	PPEB PEB = (PPEB)__readgsqword(0x60);
	_LIST_ENTRY* f = PEB->Ldr->InMemoryOrderModuleList.Flink;
	bool Found = FALSE;
	int count = 0;

	while (!Found && count < 256)
	{
		PLDR_DATA_TABLE_ENTRY dataEntry = CONTAINING_RECORD(f, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);

		if (wcsstr(dataEntry->FullDllName.Buffer, szModule))
		{
			dataEntry->DllBase = (PVOID)newAddress;
			Found = TRUE;
			return true;
		}

		f = dataEntry->InMemoryOrderLinks.Flink;
		count++;
	}

	return false;
}

int main()
{
    ChangeModuleDllBase(L"YourProgram.exe", 0x123456789);
    return 0;
}

Subscribe to our Newsletter


The information entered into this form is mandatory. It will be subjected to computer processing. It is processed by computer in order to support our users and readers. The recipients of the data will be : contact@unprotect.it.

According to the Data Protection Act of January 6th, 1978, you have at any time, a right of access to and rectification of all of your personal data. If you wish to exercise this right and gain access to your personal data, please write to Thomas Roccia at contact@unprotect.it.

You may also oppose, for legitimate reasons, the processing of your personal data.