notepad.exe进程,并尝试获取该进程的AddressOfEntryPoint。问题是我似乎找不到实际的codeEntry。应用程序和
notepad.exe进程都是64位的。我在做什么错?
这是注释后的代码段:
#include <iostream>
#include <windows.h>
#include <winternl.h>
#pragma comment(lib, "ntdll")
using namespace std;
int main() {
STARTUPINFOA si;
si = {};
PROCESS_INFORMATION pi = {};
PROCESS_BASIC_INFORMATION pbi = {};
DWORD returnLength = 0;
CreateProcessA(0, (LPSTR)"c:\windows\system32\notepad.exe", 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);
// get target image PEB address and pointer to image base
NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), &returnLength);
DWORD_PTR pebOffset = (DWORD_PTR)pbi.PebBaseAddress + 10;
// get target process image base address
LPVOID imageBase = 0;
ReadProcessMemory(pi.hProcess, (LPCVOID)pebOffset, &imageBase, 16, NULL);
// read target process image headers
BYTE headersBuffer[4096] = {};
ReadProcessMemory(pi.hProcess, (LPCVOID)imageBase, headersBuffer, 4096, NULL);
// get AddressOfEntryPoint
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)headersBuffer;
PIMAGE_NT_HEADERS64 ntHeader = (PIMAGE_NT_HEADERS64)((DWORD_PTR)headersBuffer + dosHeader->e_lfanew);
LPVOID codeEntry = (LPVOID)(ntHeader->OptionalHeader.AddressOfEntryPoint + (DWORD_PTR)imageBase);
// Do something with the AddressOfEntryPoint(print to console in this case)
cout << codeEntry << endl;
return 0;
}
#1 楼
通常,您所做的几乎所有操作都是正确的,但是有两个简单的错误。第一个也是最重要的可能是在这里
DWORD_PTR pebOffset = (DWORD_PTR)pbi.PebBaseAddress + 10;
ImageBaseAddress不是10,而是0x10(DEC中为16)。因此,您需要像这样DWORD_PTR pebOffset = (DWORD_PTR)pbi.PebBaseAddress + 0x10;
其次,您确定
LPVOID的size为16吗?至少在我的编译器中,它是8,而不是16,因此您通常就像在堆栈上覆盖数据一样。这就是为什么我提出这种方法的原因ReadProcessMemory(pi.hProcess, (LPCVOID)pebOffset, &imageBase, sizeof(LPVOID), NULL);
而不是
ReadProcessMemory(pi.hProcess, (LPCVOID)pebOffset, &imageBase, 16, NULL);
评论
进行您建议的更改后,效果完美。我这样愚蠢的错误。 Anyhoo非常感谢您指出队友!
–upayansaha
20-05-23在12:32