stackoom
  简体   繁体   中英

How to get the entry point of a child process?

 原文  2009-09-01 18:14:51       c++/ process/ entry-point

Question

I created a child process from within my process with CreateProcess() (in C++) I then continue on using ReadProcessMemory to read through the memory and search for a specific something.

I would like to start my search from the entry point of that process , since the process is loaded into it's own virtual space I have no idea at this point how to find out the entry point for the code itself(I dont care about other sections of the PE file), I am aware of the 'AddressOfEntryPoint' field of the PE format and I already have it but since I have no idea at what address that process would be loaded how can I calculate the entry point itself?

to demonstrate what I want , if you open a process with OllyDbg for example you immediately reach the entry point for the code , I want to have that address

remember that this is a child process that I created if it helps

let me mention that I do not want to inject any code or DLL into that application the find out that address

3 answers

solution1
 1  2009-09-01 18:34:50

Use PSAPI's GetModuleInformation with an HMODULE of NULL. This will give you executable's entry point as well as total size in memory (unfortunately, the base address is not set.)

Note that the entry point isn't necessarily the main() function - it is probably the CRT's entry point which in turn calls your main().

You can also use EnumProcessModules to get all modules in the process and their base addresses.

solution2
 0  

I don't know exactly BUT...As far as i know can you finde the EntryPoint Address in the PE header of the .exe/.dll

or .... it is a fixed one

that's all i remenber

solution3
 0  2009-09-01 18:34:03

AddressOfEntryPoint is relative to image base address (ImageBase member of same IMAGE_OPTIONAL_HEADER struct). For executables image base is almost always whatever is set in PE header, since every executable has its own virtual address space.

In fact exes with stripped relocation sections can be loaded only at base that is in PE.

I'm not sure if there are exceptions and if it is possible to retrieve image base of running process...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to set entry point of a process created from CreateProcess get the entry point to a 64bit process memory from a 32bit process Is it possible to change the entry point of a process from a DLL? how to get stdout of child process in realtime? how to use waitpid() to get the status of child process? View address of entry point in eax register for a suspended process in windbg Returning from exe entry point does not terminate the process on Windows 10 How do I get each child process to output a string? How to get stat information from a child process to measure resource utilization? Bash: Get child process name
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM