Re: State of process at CREATE_PROCESS_DEBUG_EVENT
- From: "Oleg Starodumov" <com-dot-debuginfo-at-oleg>
- Date: Wed, 11 Oct 2006 13:25:11 +0300
Are only .exe and ntdll.dll are mapped when "create process" event is
set or there are other dlls mapped also?
Only .exe and ntdll.dll. Others will be mapped by the loader
after "create process" event.
where will the EIP will point when "create process" event will occur?
Will it point to the first instruction of the main thread or somewhere
else?
Yes, it points to kernel32!BaseProcessStartThunk, where the main thread
will start executing. Though at the moment of "create process" event,
kernel32.dll is not yet mapped into memory.
Also, when the process continues after "create process", it will get
an APC first, and loader will run in the context of that APC.
At the end, it will do NtContinue to the original thread context,
resulting in transferring the control to kernel32!BaseProcessStartThunk.
Oleg
.
- Follow-Ups:
- Re: State of process at CREATE_PROCESS_DEBUG_EVENT
- From: Saurav
- Re: State of process at CREATE_PROCESS_DEBUG_EVENT
- References:
- State of process at CREATE_PROCESS_DEBUG_EVENT
- From: ursaurav
- Re: State of process at CREATE_PROCESS_DEBUG_EVENT
- From: Oleg Starodumov
- Re: State of process at CREATE_PROCESS_DEBUG_EVENT
- From: Saurav
- State of process at CREATE_PROCESS_DEBUG_EVENT
- Prev by Date: Re: State of process at CREATE_PROCESS_DEBUG_EVENT
- Next by Date: Full path to src in a static library
- Previous by thread: Re: State of process at CREATE_PROCESS_DEBUG_EVENT
- Next by thread: Re: State of process at CREATE_PROCESS_DEBUG_EVENT
- Index(es):
