堆栈内存溢出
  简体   繁体   English

如何获得子进程的切入点?

[英]How to get the entry point of a child process?

 原文  2009-09-01 18:14:51       c++/ process/ entry-point

问题描述

I created a child process from within my process with CreateProcess() (in C++) I then continue on using ReadProcessMemory to read through the memory and search for a specific something. 我使用CreateProcess()(在C ++中)从进程内部创建了子进程,然后继续使用ReadProcessMemory读取内存并搜索特定内容。

I would like to start my search from the entry point of that process , since the process is loaded into it's own virtual space I have no idea at this point how to find out the entry point for the code itself(I dont care about other sections of the PE file), I am aware of the 'AddressOfEntryPoint' field of the PE format and I already have it but since I have no idea at what address that process would be loaded how can I calculate the entry point itself? 我想从该过程的入口点开始搜索,因为该过程已加载到它自己的虚拟空间中,所以我现在不知道如何找到代码本身的入口点(我不在乎其他部分) PE文件),我知道PE格式的“ AddressOfEntryPoint”字段,但我已经知道了,但是由于我不知道该进程将加载到哪个地址,我如何计算入口点本身?

to demonstrate what I want , if you open a process with OllyDbg for example you immediately reach the entry point for the code , I want to have that address 为了演示我想要的东西,例如,如果您使用OllyDbg打开一个进程,您立即到达代码的入口点,那么我想拥有该地址

remember that this is a child process that I created if it helps 请记住,这是我创建的子流程,如果有帮助

let me mention that I do not want to inject any code or DLL into that application the find out that address 我要说的是,我不想将任何代码或DLL注入该应用程序,以找到该地址。

3 个解决方案

解决方案1
 1  2009-09-01 18:34:50

Use PSAPI's GetModuleInformation with an HMODULE of NULL. 使用PSAPI的GetModuleInformation和HMODULE为NULL。 This will give you executable's entry point as well as total size in memory (unfortunately, the base address is not set.) 这将为您提供可执行文件的入口点以及内存的总大小(不幸的是,未设置基地址。)

Note that the entry point isn't necessarily the main() function - it is probably the CRT's entry point which in turn calls your main(). 请注意,入口点并不一定是main()函数-可能是CRT的入口点,它依次调用了main()。

You can also use EnumProcessModules to get all modules in the process and their base addresses. 您还可以使用EnumProcessModules来获取进程中的所有模块及其基地址。

解决方案2
 0  

I don't know exactly BUT...As far as i know can you finde the EntryPoint Address in the PE header of the .exe/.dll 我不知道该怎么办...据我所知,您可以在.exe / .dll的PE标头中找到EntryPoint地址

or .... it is a fixed one 或....这是固定的

that's all i remenber 这就是我所记得的

解决方案3
 0  2009-09-01 18:34:03

AddressOfEntryPoint is relative to image base address (ImageBase member of same IMAGE_OPTIONAL_HEADER struct). AddressOfEntryPoint相对于图像基址(同一IMAGE_OPTIONAL_HEADER结构的ImageBase成员)。 For executables image base is almost always whatever is set in PE header, since every executable has its own virtual address space. 对于可执行文件,映像基数几乎总是PE标头中设置的,因为每个可执行文件都有其自己的虚拟地址空间。

In fact exes with stripped relocation sections can be loaded only at base that is in PE. 实际上,具有剥离的重定位部分的exe文件只能在PE中的基础上加载。

I'm not sure if there are exceptions and if it is possible to retrieve image base of running process... 我不确定是否有例外,是否可以检索正在运行的进程的图像库...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何设置从CreateProcess创建的进程的入口点 - How to set entry point of a process created from CreateProcess 从 32 位进程获取到 64 位进程内存的入口点 - get the entry point to a 64bit process memory from a 32bit process 是否可以从 DLL 更改进程的入口点? - Is it possible to change the entry point of a process from a DLL? 如何实时获取子进程的标准输出? - how to get stdout of child process in realtime? 如何使用waitpid()获取子进程的状态? - how to use waitpid() to get the status of child process? 查看 Windbg 中挂起进程的 eax 寄存器中入口点的地址 - View address of entry point in eax register for a suspended process in windbg 从 exe 入口点返回不会终止 Windows 10 上的进程 - Returning from exe entry point does not terminate the process on Windows 10 如何让每个子进程输出一个字符串? - How do I get each child process to output a string? 如何从子进程中获取统计信息以衡量资源利用率? - How to get stat information from a child process to measure resource utilization? Bash:获取子进程名称 - Bash: Get child process name
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM