打开目标进程 ->获取进程pbi -> pbi中找peb ->peb中找LoaderData ->LoaderData 里面有个InLoadOrderModuleList ，这个是本进程中按次序进入内存的模块信息的链表，之一个就是当前exe ，这个模块信息中 有个BaseAddress ，就是exe虚拟内存基址-> 通过这个基址找dos_header -> dos_header中找 pe_header -> pe_header.OptionalHeader.Magic 就是要判断的 IMAGE_NT_OPTIONAL_HDR32_MAGICorIMAGE_NT_OPTIONAL_HDR64_MAGIC typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG); PROCNTQSIP NtQueryInformationProcess; NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(GetModuleHandle("ntdll","NtQueryInformationProcess"; HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 3580); PROCESS_BASIC_INFORMATION pbi; PEB buf; DWORD readnum; PEB_LDR_DATA ldrData; NtQueryInformationProcess(hProcess,0,(PVOID)&pbi,sizeof(PROCESS_BASIC_INFORMATION),NULL); ReadProcessMemory(hProcess,pbi.PebBaseAddress,&buf,sizeof(PEB),&readnum); ReadProcessMemory(hProcess,buf.LoaderData,&ldrData,sizeof(PEB_LDR_DATA),&readnum); LDR_MODULE ldrModule; LIST_ENTRY* pListEntry=ldrData.InLoadOrderModuleList.Flink; ReadProcessMemory(hProcess,pListEntry,&ldrModule,sizeof(LDR_MODULE),&readnum); LPVOID pBase=ldrModule.BaseAddress; IMAGE_DOS_HEADER dos_header; ReadProcessMemory(hProcess,pBase,&dos_header,sizeof(IMAGE_DOS_HEADER),&readnum); IMAGE_NT_HEADERS pe_header; ReadProcessMemory(hProcess,(LPVOID)((LONG)pBase + dos_header.e_lfanew),&pe_header,sizeof(IMAGE_NT_HEADERS),&readnum); cout<