Anyway to get the Entrypoint of the process you do CreateProcess on? I could always do a mapviewoffile and grab it via the optionalheader but that seems unefficient or something.
Posted on 2003-04-15 13:11:13 by SFP
I'd look at PE header.
You might be able to get this information with the debug API, I dunno - and there's plenty of situations where you don't want to create process in debug mode. There's one nice feature XP has - you can detach debugger without terminating process.
Posted on 2003-04-15 13:22:55 by f0dder
Well ye I thought about the PE header, but I'm having problems getting a pointer to the IMAGE_DOS_HEADER from the Handle to the process or that way... as I said I thought of doing it via FileMapping before createprocess but I think it's unefficient and I'd like to just get it another way. I'm not creating the process in debugmode, just suspended.
Posted on 2003-04-15 13:28:15 by SFP
It shouldn't be a problem getting to the PE header after the image is loaded, just remember you'll have to ReadProcessMemory.
Posted on 2003-04-15 13:29:28 by f0dder
Aaah! Of course! Thx, Doh (hits himself).
Posted on 2003-04-15 13:31:56 by SFP
If you have an easy way to do that, please tell... I can't think of any way other than somehow finding the value used to encrypt the process ID, getting a pointer to the process from that, then going into the module list (at offset 0x4C) to find the index of the first module (at offset 0x10). Then you'd have to somehow get at the table of loaded modules and look up your module. At offset 4 there's then a pointer to the PE header. Obviously this all would be very version specific and a little difficult.
Posted on 2003-04-15 17:56:37 by Sephiroth3
Easy way that works for normal executables:
get a process handle (easy if you have created the process, and not really hard under other circumstances).
ReadProcessMemory at 0x400000, get the PE header - ka-ching, module entrypoint.
If you want to support "kinky" executables, read the PE header from disk instead.

Stuff becomes more interesting if you want to support "kinky" executables, and haven't created the process yourself (and don't know the executable filename) - how are you going to get the process base? Dunno, perhaps psapi/toolhelp32 can be of help there.
Posted on 2003-04-16 01:49:45 by f0dder

If you can use CreateProcess you must now the application name. Then you can use GetModuleHandle to retrieve the imagebase.

This is the principle to retrieve the entry point

includelib imagehlp.lib

invoke GetModuleHandle,SADD('Your exe file')
invoke ImageNtHeader,eax
assume eax:ptr IMAGE_NT_HEADERS
mov edi,[eax].OptionalHeader.AddressOfEntryPoint

You don't have to use imagehlp lib to get the entry point but there are some other useful functions.

Posted on 2003-04-16 02:26:31 by minor28