本文起源于这样一个问题，如何得到某个EXE中加载的某个DLL的基址(BaseAddress)呢？有人回答，用远程注入，CreateRemoteThread之后再GetModuleHandle，因为这个回答实现的复杂性和不确定性，此人没能将发帖者的可用分转换为自己的专家分。没错，这就是黄色论坛CSDN(床上等你)
    
    很多人都用过CreateToolhelp32Snapshot，做什么呢？列举进程对吧？嘻嘻，其实它也可以用来列举某一个进程加载的模块噢，下面Tr0j4n给出参考代码
    
    BOOL ListProcessModules( DWORD dwPID )
    {
    HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
    MODULEENTRY32 me32;
    
    // Take a snapshot of all modules in the specified process.
    hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );
    if( hModuleSnap == INVALID_HANDLE_VALUE )
    {
    printError( "CreateToolhelp32Snapshot (of modules)" );
    return( FALSE );
    }
    
    // Set the size of the structure before using it.
    me32.dwSize = sizeof( MODULEENTRY32 );
    
    // Retrieve information about the first module,
    // and exit if unsuccessful
    if( !Module32First( hModuleSnap, &me32 ) )
    {
    printError( "Module32First" ); // Show cause of failure
    CloseHandle( hModuleSnap );     // Must clean up the snapshot object!
    return( FALSE );
    }
    
    // Now walk the module list of the process,
    // and display information about each module
    do
    {
    printf( "\n\n     MODULE NAME:     %s",             me32.szModule );
    printf( "\n     executable     = %s",             me32.szExePath );
    printf( "\n     process ID     = 0x%08X",         me32.th32ProcessID );
    printf( "\n     ref count (g) =     0x%04X",     me32.GlblcntUsage );
    printf( "\n     ref count (p) =     0x%04X",     me32.ProccntUsage );
    printf( "\n     base address   = 0x%08X", (DWORD) me32.modBaseAddr );
    printf( "\n     base size      = %d",             me32.modBaseSize );
    
    } while( Module32Next( hModuleSnap, &me32 ) );
    
    // Do not forget to clean up the snapshot object.
    CloseHandle( hModuleSnap );
    return( TRUE );
    }
    
    
    恩。代码结束了，您掌握了这个小小的技巧了吗？