IDA Plugin - Get Offset

Little bit of background

When you are working with a process module dump in IDA Pro it’s important to make note of the Imagebase so you can easily locate functions or data you are observing in live memory.

Now in a perfect world the module/exe you import into IDA would be loaded at 0x04000000 or if it’s 64bit 0x0000000140000000. Why those constants you may ask? Raymond Chen explains that in his post here.

However due to ASLR the loaded address in memory will vary and change. Therefore a process module you dumped now will be loaded potentially at a different location on the next process run.

That leaves us two choices:

• Either rebase the program in IDA to 0x00000000 (which will most likely break some memory location references).
• Or subtract the location of a function or data member by the Imagebase to get the offset which you then can add to the Imagebase of the live running process module to find it again.

IDA Plugin

This process is annoying to do every time and I usually do it on the fly by opening up calc.exe and doing the subtraction until I got annoyed and wrote athis to do it for me.

Drop the cvutils-getoffset.py script into the IDA/plugins/ directory.

Right click anywhere in an IDA View and select Get Offset. Alternatively you can use the shortcut command Ctrl+Shift+C The offset will be copied to your clipboard.

Download: