//1、以挂起的方式创建进程，观察创建后的结果							

							

							

STARTUPINFO ie_si = {0};   							

PROCESS_INFORMATION ie_pi;							

ie_si.cb = sizeof(ie_si);							

							

TCHAR szBuffer[256] = "C:\\notepad.exe";							

CreateProcess(							

	NULL,                  						

	szBuffer,                						

	NULL, 						

	NULL,  						

	FALSE,                   						

	CREATE_SUSPENDED,     						

	NULL,                    						

	NULL,                    						

	&ie_si,                  						

	&ie_pi                  						

	);						

							

//恢复执行							

ResumeThread(ie_pi.hThread);							

							

							

							

//2、以挂起的方式创建进程，获取进程的ImageBase和AddressOfEntryPoint							

							

STARTUPINFO ie_si = {0};   							

PROCESS_INFORMATION ie_pi;							

ie_si.cb = sizeof(ie_si);							

							

//以挂起的方式创建进程							

TCHAR szBuffer[256] = "C:\\ipmsg.exe";							

CreateProcess(							

	NULL,                    // name of executable module						

	szBuffer,                // command line string						

	NULL, 					 // SD	

	NULL,  		             // SD				

	FALSE,                   // handle inheritance option						

	CREATE_SUSPENDED,     	 // creation flags  					

	NULL,                    // new environment block						

	NULL,                    // current directory name						

	&ie_si,                  // startup information						

	&ie_pi                   // process information						

	);						

							

							

CONTEXT contx;  							

contx.ContextFlags = CONTEXT_FULL;  							

							

							

GetThreadContext(ie_pi.hThread, &contx);							

							

//获取入口点							

DWORD dwEntryPoint = contx.Eax;							

							

//获取ImageBase							

char* baseAddress = (CHAR *) contx.Ebx+8;							

							

memset(szBuffer,0,256);							

							

ReadProcessMemory(ie_pi.hProcess,baseAddress,szBuffer,4,NULL);