I am trying to implement the known method of "Dynamic Forking of Win32 EXE", which is knows as RunPE.
My problem is that i am can't get the right result of the "base address" as it mentioned in the 3rd point at http://www.security.org.sg/code/loadexe.html
This is my code:
I have tried to run it under Win 7 64b and Win-XP and on both i am get the same incorrect results.
My problem is that i am can't get the right result of the "base address" as it mentioned in the 3rd point at http://www.security.org.sg/code/loadexe.html
This is my code:
Code: Select all
and the output is as follwos:
STARTUPINFO sInfo;
PROCESS_INFORMATION pInfo;
HANDLE hTarget;
CONTEXT contx;
DWORD* peb;
DWORD* baseAddress;
memset(&sInfo, 0, sizeof(sInfo));
sInfo.cb = sizeof(sInfo);
CreateProcess("peview.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED,
NULL, NULL, &sInfo, &pInfo)
hTarget = pInfo.hThread;
contx.ContextFlags = CONTEXT_ALL;
GetThreadContext(hTarget, &contx)
peb = (DWORD *) contx.Ebx;
baseAddress = (DWORD *) contx.Ebx+8;
_tprintf(_T("The EBX [PEB] is: 0x%08X\nThe base address is: 0x%08X\nThe Entry Point is: 0x%08X\n"), peb, baseAddress, contx.Eax);
ResumeThread(hTarget);The EBX [PEB] is: 0x7FFD4000I think that my problem is with the implementation of my baseAddress pointer, but i can't figure out exactly what is the issue. Or could be that i havn't understand the above article correctly and baseAddress isn't ImageBase, if so what is baseAddress ?
The base address is: 0x7FFD4020
The Entry Point is: 0x00401000
I have tried to run it under Win 7 64b and Win-XP and on both i am get the same incorrect results.
