Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //http://waleedassar.blogspot.com (@waleedassar)
- //Code to show how to extract EntryPoint, ImageBase, and SizeOfImage from the newly-created suspended process.
- #include "stdafx.h"
- #include "windows.h"
- #include "stdio.h"
- #define MemoryBasicVlmInformation 0x3
- struct MEMORY_BASIC_VLM_INFORMATION
- {
- unsigned long ImageBase;
- unsigned long blah[0x2];
- unsigned long SizeOfImage;
- };
- //nt!_SECTION_IMAGE_INFORMATION
- struct PROCESS_IMAGE_INFORMATION
- {
- unsigned long EntryPoint; //after relocation
- unsigned long unk1;
- unsigned long SizeOfStackReserve;
- unsigned long SizeOfStackCommit;
- unsigned short subsystem;
- unsigned short unk2;
- unsigned short MinorSubSystemVersion;
- unsigned short MajorSubsystemVersion;
- unsigned long unk3;
- unsigned short characteristics;
- unsigned short dll_characteristics;
- unsigned short machine;
- unsigned short flags; //0x0400--->FLAG_IMAGE_RELOCATED 0x1---->???
- unsigned long LoaderFlags;
- unsigned long FileSize; //on disk
- unsigned long Checksum;
- };
- extern "C"
- {
- int __stdcall ZwQueryVirtualMemory(HANDLE,void*,int,void*,int,unsigned long*);
- int __stdcall ZwQueryInformationProcess(HANDLE,int,PROCESS_IMAGE_INFORMATION*,unsigned long,int*);
- }
- int main(void)
- {
- STARTUPINFO SI={sizeof(SI)};
- PROCESS_INFORMATION PI;
- if(CreateProcess(0,"calc.exe",0,0,0,CREATE_SUSPENDED,0,0,&SI,&PI)) //CreateProcess in suspended state
- {
- PROCESS_IMAGE_INFORMATION Q={0};
- ZwQueryInformationProcess(PI.hProcess,0x25,&Q,sizeof(Q),0);
- printf("My Entrypoint is %X\r\n",Q.EntryPoint);
- unsigned long out=0;
- MEMORY_BASIC_VLM_INFORMATION MBVI={0};
- ZwQueryVirtualMemory(PI.hProcess,(void*)(Q.EntryPoint) /*anywhere withing the PE range*/,MemoryBasicVlmInformation,&MBVI,sizeof(MBVI),&out);
- printf("Image Base: %X SizeOfImage: %X\r\n",MBVI.ImageBase,MBVI.SizeOfImage);
- //You can now resume
- ResumeThread(PI.hThread);
- }
- return 0;
- }
Add Comment
Please, Sign In to add comment
