Monday, September 10, 2012
Sunday, September 2, 2012
Windows Portable Executable (PE) Header
http://marcoramilli.blogspot.com/2010/12/windows-pe-header.html
Manually load entry point to memory after create process with suspended
// Create a child process with suspended
if( !CreateProcess(NULL, /* No module name (use command line). */
filename, /* Command line. */
NULL, /* Process handle not inheritable. */
NULL, /* Thread handle not inheritable. */
FALSE, /* Set handle inheritance to FALSE. */
CREATE_SUSPENDED, /*<----- Suspedned flag. */
NULL, /* Use parent's environment block. */
NULL, /* Use parent's starting directory. */
&si, /* Pointer to STARTUPINFO structure. */
&pi) /* Pointer to PROCESS_INFORMATION structure. */
) printf("Error in CreateProcess\n\n");
printf("ProcessID of %d\n",pi.dwProcessId);
// read the memory in child process
ReadProcessMemory(pi.hProcess,entry_point, point, 1, NULL);
The reason you want to read the memory in child process is to load the process code into memory.
When parent process create a child process with suspended, it only load the image_base text into memory. In other words, the PE header ( MZ ) is present in memory. It waits the child process to access its entry_point code. When the child process access the first byte of the entry point, it loads the whole page into memory, which contains the real code of the program.
Subscribe to:
Posts (Atom)