掛起方式創建進程

創建進程除了用 CREATE_NEW_CONSOLE,還可以用掛起的方式創建，CREATE_SUSPENDED

// TestCreateSuspended.cpp : Defines the entry point for the console application.
// 掛起方式創建進程

#include "stdafx.h"
#include <WINDOWS.H>

int main(int argc, char* argv[])
{
	// 掛起方式創建進程
	STARTUPINFO si = {0};
	si.cb = sizeof(si);
	PROCESS_INFORMATION pi;
	char szPath[MAX_PATH] = "c:\\notepad.exe";
	CreateProcess(NULL, szPath, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
	// 獲取線程上下文
	CONTEXT context;
	context.ContextFlags = CONTEXT_FULL;
	GetThreadContext(pi.hThread, &context);
	// 獲取入口點
	DWORD dwEntryPoint = context.Eax;
	printf("入口點: %x\n", dwEntryPoint);
	// 獲取ImageBase
	char *baseAddress = (char *)context.Ebx + 8;
	char szBuffer[256] = {0};
	ReadProcessMemory(pi.hProcess, baseAddress, szBuffer, 4, NULL);
	
	// 恢復線程
	ResumeThread(pi.hThread);
	getchar();
	return 0;
}

運行結果