bats3c/locate_wevtsvc_base_address.c

## locate_wevtsvc_base_address.c
DWORD_PTR dwBase;
DWORD     i, dwSizeNeeded;
HMODULE   hModules[102400];
TCHAR     szModule[MAX_PATH];

if (EnumProcessModules(GetCurrentProcess(), hModules, sizeof(hModules), &dwSizeNeeded))
{
	for (int i = 0; i < (dwSizeNeeded / sizeof(HMODULE)); i++)
	{
		ZeroMemory((PVOID)szModule, MAX_PATH);

		if (GetModuleBaseNameA(GetCurrentProcess(), hModules[i], (LPSTR)szModule, sizeof(szModule) / sizeof(TCHAR)))
		{
			if (!strcmp("wevtsvc.dll", (const char*)szModule))
			{
				dwBase = (DWORD_PTR)hModules[i];
			}
		}
	}
}
	DWORD_PTR dwBase;
	DWORD i, dwSizeNeeded;
	HMODULE hModules[102400];
	TCHAR szModule[MAX_PATH];

	if (EnumProcessModules(GetCurrentProcess(), hModules, sizeof(hModules), &dwSizeNeeded))
	{
	for (int i = 0; i < (dwSizeNeeded / sizeof(HMODULE)); i++)
	{
	ZeroMemory((PVOID)szModule, MAX_PATH);

	if (GetModuleBaseNameA(GetCurrentProcess(), hModules[i], (LPSTR)szModule, sizeof(szModule) / sizeof(TCHAR)))
	{
	if (!strcmp("wevtsvc.dll", (const char*)szModule))
	{
	dwBase = (DWORD_PTR)hModules[i];
	}
	}
	}
	}