简体繁体 English

使用Windows API和C ++，如何从硬盘驱动器加载exe并在其自己的线程中运行它？

[英]Using the windows api and C++, how could I load an exe from the hard drive and run it in its own thread?

原文 2011-01-10 07:18:26 8 3 c++/ windows/ multithreading/ winapi

For the sake of learning I'm trying to do what the OS does when launching a program ie. 为了学习，我正在尝试执行操作系统在启动程序时的工作，即。 parsing a PE file and giving it a thread of execution. 解析PE文件并为其提供执行线程。

If I have two exe's one called foo.exe and the other bar.exe, how could I have foo.exe load the contents of bar.exe into memory then have it execute from there in its own thread? 如果我有两个名为foo.exe的exe文件，另一个名为bar.exe的exe文件，我如何让foo.exe将bar.exe的内容加载到内存中，然后在自己的线程中从那里执行它？ I know how to get it into memory using MapViewOfFile or by simple loading the contents on the hard drive into a buffer. 我知道如何使用MapViewOfFile或通过将硬盘驱动器上的内容简单地加载到缓冲区中来将其存储到内存中。 I'm assuming simply copying the contents of bar.exe on disk into its own suspended thread and running it wouldn't work. 我假设只是将磁盘上的bar.exe内容复制到其自己的挂起线程中，然后运行它将无法正常工作。 I am semi-familiar with PE file internals. 我对PE文件的内部内容不熟悉。 All help is very much appreciated, of course :) 当然，非常感谢所有帮助：)

3 个解决方案

First, Lambert is correct. 首先，兰伯特是正确的。 EXEs run in their own process. EXE在自己的进程中运行。 The reason why EXEs can't load into another process is because they are not compiled for relative addressing and can not be easily have its code remapped to another address. 无法将EXE加载到另一个进程的原因是因为它们没有为相对寻址而编译，并且不容易将其代码重新映射到另一个地址。 Developers launch other EXE programs with the Win32 system call, "CreateProcess". 开发人员使用Win32系统调用“ CreateProcess”启动其他EXE程序。 But I don't think that was your question... 但是我不认为这是你的问题...

I think you want to know how to manually load code from a binary into running process (and have it run on a dedicated thread). 我想您想知道如何从二进制文件手动将代码加载到运行的进程中（并使它在专用线程上运行）。 Most developers just call LoadLibrary/GetProcessAddress to map a DLL into the process space and CreateThread to launch a thread. 大多数开发人员只是调用LoadLibrary / GetProcessAddress将DLL映射到进程空间，并调用CreateThread启动线程。

So I think what you are basically asking, "how do I implement the core component of the kernel and OS known as the loader?" 因此，我想您基本上是在问，“我如何实现内核和操作系统的核心组件，即加载器？” Or put another way, "how do I implement CreateProcess and LoadLibrary myself?" 或换一种说法，“我如何自己实现CreateProcess和LoadLibrary？”

The OS loader does more than just parse binary files into memory and set the instruction pointer to the first line of code. OS加载程序不仅仅将二进制文件解析到内存并将指令指针设置为代码的第一行。 It also loads other dependent DLLs. 它还会加载其他依赖的DLL。 Because the process may already have allocated other code to run at the target address that the DLL was compiled to, it may also have to do fixup the addresses of the DLL to load it at another address. 因为该进程可能已经分配了其他代码以在DLL被编译到的目标地址上运行，所以它可能还必须修复DLL的地址以将其加载到另一个地址。 I'm likely missing many other steps including virtual memory allocation for the binary code itself. 我可能会错过许多其他步骤，包括为二进制代码本身分配虚拟内存。

I do recommend looking at the Richter book for its sections on processes, threads, and DLLs. 我确实建议查看Richter一书中有关进程，线程和DLL的章节。 He discusses a bit of this and some details on parsing the PE format of DLLs. 他讨论了这一点以及有关解析DLL的PE格式的一些细节。

Studying the Linux kernel implementation of how it loads .SO files into a process space may also be a worthwhile study. 研究Linux内核如何将.SO文件加载到进程空间中的实现也可能是值得进行的研究。

Executable always runs as a separate process . 可执行文件始终作为单独的进程运行。 It cannot be made to run in a thread of some other process . 它不能在其他进程的线程中运行。 However you can run your executable as a process from a thread of some other process. 但是，您可以从其他进程的线程中将可执行文件作为进程运行。 Have a look at CreateProcess() function! 看看CreateProcess（）函数！

Since I personally don't like answers that say "why do you even want to do this?", here is a link that would be very helpful. 由于我个人不喜欢“为什么还要这样做？”的答案，因此这里的链接将非常有帮助。 But do be warned that you'll probably not succeed, since EXEs simply don't expect to be run in a thread of another process. 但是要警告您，您可能不会成功，因为EXE根本不希望在另一个进程的线程中运行。