Home/ Questions/Q 7499655
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T19:53:55+00:00

If I have exampleA.exe process and I use the FindEntryPointAddress() function to get the

  • 0

If I have exampleA.exe process and I use the FindEntryPointAddress() function to get the main() entry point of exampleB.exe process

FindEntryPointAddress() is a function of exampleA.exe

DWORD FindEntryPointAddress( TCHAR *exeFile )
{
  BY_HANDLE_FILE_INFORMATION bhfi;
  HANDLE hMapping;
  char *lpBase;

  HANDLE hFile = CreateFile(exeFile, GENERIC_READ, FILE_SHARE_READ, NULL,OPEN_EXISTING, 0, NULL);

  if (hFile == INVALID_HANDLE_VALUE)
    ;

  if (!GetFileInformationByHandle(hFile, &bhfi))
    ;

  hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, bhfi.nFileSizeHigh, bhfi.nFileSizeLow, NULL);

  if (!hMapping)
    ;

  lpBase = (char *)MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, bhfi.nFileSizeLow);

  if (!lpBase)
    ;

  PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)lpBase;

  if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) // 0x00004550(IMAGE_NT_SIGNATURE)
    ;

  PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(lpBase + dosHeader->e_lfanew);

  if (ntHeader->Signature != IMAGE_NT_SIGNATURE)
    ;

  DWORD pEntryPoint = ntHeader->OptionalHeader.ImageBase + ntHeader->OptionalHeader.AddressOfEntryPoint;

  UnmapViewOfFile((LPCVOID)lpBase);

  CloseHandle(hMapping);

  CloseHandle(hFile);

  printf( "test.exe entry point: %p\n", pEntryPoint );

  return pEntryPoint;
} // FindEntryPointAddress()

Know I have a question is how can I edit the FindEntryPointAddress() to get the func() entrypoint of exampleB.exe

exampleB.exe

  void func()
  {
    char str[10];

    strcpy( str, "iambuffer\n" );

    printf( "%s", str );
  } // func()

  int main()
  {
    func();

    return 0;
  } // main()

thanks a lot

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Unless the function is exported (see e.g. __declspec(dllexport)) you’re out of luck. Without an entry in the export table, it’s not possible to get the address of a function other than the entry point.

    Moreover, even if you find some data related to the function elsewhere (for example, in the debugging symbols) you might be still unable to get the address, as it’s possible that the function got inlined everywhere or was eliminated for whatever other reason and its related data were not. Exported functions are not affected by that, due to the fact that the compiler and linker are careful enough to always emit them.

    • 0