All geek questions in one place

Dump pe file from memory to disk

I want to dump a process image on disk and then execute it

  • I have listed the process modules
  • I used readprocessmemory to read exe memory range

but when I try to fail it. How can i solve this?

thank

+3
source share
1 answer

You can not.

When you load PE into memory (I assume that you are using MapAndLoad from ImageHlp.pas), it loads modules into memory and loads data, but does not go through and rebuilds all the pointers in this way to the standard Windows bootloader.

The pointers in the app will all be relative addresses that do not actually indicate what they should refer to.

, RVAs , , .

+4

Source: https://habr.com/ru/post/1769997/

More articles:


All Articles