1

I created a child process from within my process with CreateProcess() (in C++) I then continue on using ReadProcessMemory to read through the memory and search for a specific something.

I would like to start my search from the entry point of that process , since the process is loaded into it's own virtual space I have no idea at this point how to find out the entry point for the code itself(I dont care about other sections of the PE file), I am aware of the 'AddressOfEntryPoint' field of the PE format and I already have it but since I have no idea at what address that process would be loaded how can I calculate the entry point itself?

to demonstrate what I want , if you open a process with OllyDbg for example you immediately reach the entry point for the code , I want to have that address

remember that this is a child process that I created if it helps

let me mention that I do not want to inject any code or DLL into that application the find out that address

4

3 回答 3

1

使用带有 NULL 的 HMODULE 的PSAPI 的GetModuleInformation 。这将为您提供可执行文件的入口点以及内存中的总大小(不幸的是,未设置基地址。)

请注意,入口点不一定是 main() 函数——它可能是 CRT 的入口点,它反过来调用你的 main()。

您还可以使用EnumProcessModules获取进程中的所有模块及其基地址。

于 2009-09-01T18:34:50.273 回答
0

AddressOfEntryPoint 是相对于图像基地址(同一 IMAGE_OPTIONAL_HEADER 结构的 ImageBase 成员)。对于可执行文件,镜像库几乎总是在 PE 头中设置的任何内容,因为每个可执行文件都有自己的虚拟地址空间。

事实上,带有剥离重定位部分的 exe 只能在 PE 中的基础上加载。

我不确定是否有异常以及是否可以检索正在运行的进程的图像库...

于 2009-09-01T18:34:03.800 回答
0

我不知道确切但是...据我所知,您能否在 .exe/.dll 的 PE 标头中找到入口点地址

或者..这是一个固定的

这就是我记得的

于 2009-09-01T18:21:47.883 回答