Advertisement
waliedassar

Extract Process EntryPoint

Sep 13th, 2012
676
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.13 KB | None | 0 0
  1. //http://waleedassar.blogspot.com/   (@waleedassar)
  2. //The undocumented ProcessImageInformation 0x25 of the "ZwQueryInformationProcess" function.
  3.  
  4. #pragma comment(linker,"/FIXED:NO")
  5. #pragma comment(lib,"ntdll.lib")
  6.  
  7. struct PROCESS_IMAGE_INFORMATION
  8. {
  9.    unsigned long EntryPoint; //after relocation
  10.    unsigned long unk1;
  11.    unsigned long SizeOfStackReserve;
  12.    unsigned long SizeOfStackCommit;
  13.  
  14.    unsigned short subsystem;
  15.    unsigned short unk2;
  16.    unsigned short MinorSubSystemVersion;
  17.    unsigned short MajorSubsystemVersion;
  18.    unsigned long unk3;
  19.    unsigned short characteristics;
  20.    unsigned short dll_characteristics;
  21.  
  22.    unsigned short machine;
  23.    unsigned short flags;  //0x0400--->FLAG_IMAGE_RELOCATED 0x1---->???
  24.    unsigned long LoaderFlags;
  25.    unsigned long FileSize;  //on disk
  26.    unsigned long Checksum;
  27. };
  28.  
  29. extern "C"
  30. {
  31.     int __stdcall ZwQueryInformationProcess(HANDLE,int,PROCESS_IMAGE_INFORMATION*,unsigned long,int*);
  32. }
  33.  
  34. int main(void)
  35. {
  36.     PROCESS_IMAGE_INFORMATION Q={0};
  37.     ZwQueryInformationProcess(GetCurrentProcess(),0x25,&Q,sizeof(Q),0);
  38.     printf("My Entrypoint is %X\r\n",Q.EntryPoint);
  39.     return 0;
  40. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement