I was wondering if it was possible to obtain the entrypoint of a remote process on-the-fly, like directly from memory. I was trying to avoid opening the file on disk and then obtaining the entrypoint from there, because sometimes the file path isn't always clear. I was thinking of using ReadProcessMemory, but not all the processes have the normal 40000h as their imagebase :notsure:

I heard about how i should enum all the modules, and the first module would be the beginning of the process. does anybody have more information? or are there other ways?

Posted on 2004-02-21 13:45:46 by Drocon
Check out the ToolHelp or PSAPI documentation in MSDN.
Posted on 2004-02-21 13:54:45 by death
Drocon. There are some fairly good articles on Threads/Processes on the CodeProject site
Posted on 2004-02-21 20:33:48 by Poimander
naw, it's not what i was looking for

I was messing around, and found that GetModuleHandle() only works on modules that have been loaded, so switching to LoadLibrary(), it seems to give me the beginning of the DOS-header when i do something like "LoadLibrary("explorer.exe")". I dont know if loading a exe like that will have any impact to my process, but it seems to be the only solution now :), maybe somebody else has some pointers?
Posted on 2004-02-22 12:21:27 by Drocon
Hi Drocon!

What I've doen to get the entry point of a runing remote process
is to use the ToolHelp32 api. I try to enumerate the modules
in a process with Module32First and Module32Next. The
second parameter of these functions is a pointer to a
MODULEENTRY32 structure, that has a member called
hModule: the handle of this module in th32ProcessID's context.
Then I use ReadProcessMemory to get the entry point of
this module from its IMAGE_OPTIONAL_HEADER.

The ToolHelp32 api is not available in NT4, so you will have to
use psapi.dll here.

So try to check out the ToolHelp or PSAPI documentation in MSDN,
as says death.
Posted on 2004-02-22 22:01:19 by n u M I T_o r