创建进程除了用 CREATE_NEW_CONSOLE,还可以用挂起的方式创建,CREATE_SUSPENDED
// TestCreateSuspended.cpp : Defines the entry point for the console application. // 挂起方式创建进程 #include "stdafx.h" #include <WINDOWS.H> int main(int argc, char* argv[]) { // 挂起方式创建进程 STARTUPINFO si = {0}; si.cb = sizeof(si); PROCESS_INFORMATION pi; char szPath[MAX_PATH] = "c:\\notepad.exe"; CreateProcess(NULL, szPath, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi); // 获取线程上下文 CONTEXT context; context.ContextFlags = CONTEXT_FULL; GetThreadContext(pi.hThread, &context); // 获取入口点 DWORD dwEntryPoint = context.Eax; printf("入口点: %x\n", dwEntryPoint); // 获取ImageBase char *baseAddress = (char *)context.Ebx + 8; char szBuffer[256] = {0}; ReadProcessMemory(pi.hProcess, baseAddress, szBuffer, 4, NULL); // 恢复线程 ResumeThread(pi.hThread); getchar(); return 0; }运行结果
