Home/ Questions/Q 8912067
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T04:06:29+00:00

At first, I’m a newbie on c++ and debuging. I use CreateProcess api with

  • 0

At first, I’m a newbie on c++ and debuging. I use CreateProcess api with DEBUG_ONLY_THIS_PROCESS parameter, then wait for CREATE_PROCESS_DEBUG_EVENT. When recived, i check for the Eip register to get the address of the point. And i tought that this point is the Main function’s address.

To verify this idea i used ollydbg to see the starting address of the exe. But it wasn’t same with mine. The one i found with debug apis is 0x77a364d8, but olly says that it’s 0x00401000. Then i didn’t stop and checked for the address 0x77a364d8 in olly. I found the address and set a breakpoint there.

Then I reloaded the olly and saw that olly firstly goes 0x77a364d8 address and loades the process and then goes to the 0x00401000 address and waits there. 0x77a364d8 address points some ntdll functions to load process to memory as i see.

If it’s true, how can i get the 0x00401000 address by code( c++, i’m a newbie and please cross the t’s 🙂 ), and is it the Main function’s address or what?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    After you receive the CREATE_PROCESS_DEBUG_EVENT you should be able to access the CREATE_PROCESS_DEBUG_INFO member of the union. It has a member called lpStartAddress.

    Your debugging event loop should look something like:

    DWORD dwContinueDebugStatus = DBG_CONTINUE;
while(dwContinueDebugStatus)
{
    DEBUG_EVENT debugEvt;
    WaitForDebugEvent(&debugEvt, INFINITE);
    switch(debugEvt.dwDebugEventCode)
    {
    case CREATE_PROCESS_DEBUG_EVENT:
        // Grab the main thread entry point.
        LPTHREAD_START_ROUTINE exentry = debugEvt.u.CreateProcessInfo.lpStartAddress;
        break;
        /* Handle the rest of your debug events here. */
    }
    ContinueDebugEvent(debugEvt.dwProcessId, debugEvt.dwThreadId, dwContinueDebugStatus);
}

    Edit:
    A couple things I forgot to mention…

    Getting the entry point by any of these means will likely be the CRT function that calls your main(). There isn’t a reliable way to get the main() without symbol lookups in using dbghelp.dll.

    Also, the book Debugging Applications by John Robbins has a chapter about creating a small debugger with some example code. It is probably the best documentation/example I’ve found (but I wish it were better). It can be had pretty cheap so it might be worth looking at.

    • 0