ola, i need to retrieve the imagebase of my running process: i don't want to read it from file, but from the memory of my process (the image of the file which generated the process is mapped beginning from ImageBase)... under NT there are PSAPI, but i want to port the application under Win9x... so i cannot use the PSAPI...
scanning the memory searching for PE is not a *fast* idea (^^), so could anybody tell me how to retrieve the process's imagebase (from the inside)?
10x

ola, i need to retrieve the imagebase of my running process:
AFAIK it is fixed and 0x00400000...

under NT there are PSAPI, but i want to port the application under Win9x... so i cannot use the PSAPI...
I did not use PSAPI but here in my W95 Box,
W32dasm makes use of PSAPI DLL without error...

call getmodulehandlea, 0

returns your module handle aka process imagebase

no regrets

To get the base address of your program's
image (and not of your process), a third
solution in Win9x is to use the ToolHelp
functions (CreateToolhelp32Snapshot,
Module32First, ...). Default address is
0x400000, but another value can be chosen
at linking time.

Regards,

Spath.

umm, I always thought (correct me if I'm wrong ppl), that the hInstance parameter passed to winmain at program startup equals the ImageBase.
However, I'm not sure

Soth

to Malkocoglu
well, you are right... but for now I'm so lazy and i don't want to test
the PSAPI's calls to ntdll.dll
(that because I want to be sure that all PSAPI are supported by Win9x's ntdll.dll)
note that the imagebase is not always 0x400000 (see M$ programs)

to risc && Lord Soth
you're right,
and here is it a better explanation from "god" Pietrek

- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
- Matt Pietrek, March 1994

>[...]
>For the sake of convenience, Windows NT and Chicago uses
>the base address of a module as the module's instance handle (HINSTANCE).
> In Win32, calling the base address
>of a module an HINSTANCE is somewhat confusing, because
>the term "instance handle" comes from 16-bit Windows.
>Each copy of an application in 16-bit Windows gets its own separate data segment (and an associated global

>handle)
>that distinguishes it from other copies of the application, hence the term instance handle.
>In Win32, applications don't need to be distinguished from one another because they don't share the same

>address space.
>Still, the term HINSTANCE persists to keep continuity between 16-bit Windows and Win32. What's important for
>Win32 is that you can call GetModuleHandle for any DLL that your process uses to get a pointer for accessing
>the module's components.

finally I will test and write the results of this approach
thanks to all