//1、以挂起的方式创建进程,观察创建后的结果
STARTUPINFO ie_si = {0};
PROCESS_INFORMATION ie_pi;
ie_si.cb = sizeof(ie_si);
TCHAR szBuffer[256] = "C:\\notepad.exe";
CreateProcess(
NULL,
szBuffer,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
NULL,
&ie_si,
&ie_pi
);
//恢复执行
ResumeThread(ie_pi.hThread);
//2、以挂起的方式创建进程,获取进程的ImageBase和AddressOfEntryPoint
STARTUPINFO ie_si = {0};
PROCESS_INFORMATION ie_pi;
ie_si.cb = sizeof(ie_si);
//以挂起的方式创建进程
TCHAR szBuffer[256] = "C:\\ipmsg.exe";
CreateProcess(
NULL, // name of executable module
szBuffer, // command line string
NULL, // SD
NULL, // SD
FALSE, // handle inheritance option
CREATE_SUSPENDED, // creation flags
NULL, // new environment block
NULL, // current directory name
&ie_si, // startup information
&ie_pi // process information
);
CONTEXT contx;
contx.ContextFlags = CONTEXT_FULL;
GetThreadContext(ie_pi.hThread, &contx);
//获取入口点
DWORD dwEntryPoint = contx.Eax;
//获取ImageBase
char* baseAddress = (CHAR *) contx.Ebx+8;
memset(szBuffer,0,256);
ReadProcessMemory(ie_pi.hProcess,baseAddress,szBuffer,4,NULL);
不入虎穴, 焉得虎子!
0则评论给“挂起进程”