I have a technical question. I start an external progress, to which I inject my own DLL. However, that process has been created without the /LAA (largeaddressaware) flag. This causes problems and I really need to enable that flag. What options do I have to achieve that.
I am creating the process like this:
CreateProcess(NULL, pExeName, 0, 0, false, CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT, NULL, pExePath, &siStartupInfo, &piProcessInfo);
STARTUPINFO siStartupInfo;
PROCESS_INFORMATION piProcessInfo;
memset(&siStartupInfo, 0, sizeof(siStartupInfo));
memset(&piProcessInfo, 0, sizeof(piProcessInfo));
siStartupInfo.cb = sizeof(siStartupInfo);
if(hideGUI)
{
siStartupInfo.dwFlags = STARTF_USESHOWWINDOW;
siStartupInfo.wShowWindow = SW_HIDE;
}
And after it has loaded, I inject my own dll. But can I modify the PE header of the process, to set the LAA bit to TRUE? I am using the CREATE_SUSPENDED flag, maybe it is already too late to set the flag? Or is there any other way to accomplish this? I can't modify the executable, I can only load it. If this is a bad idea, how else can I achieve this?
If you need any other code, please let me know, I am new here.
Thank you.
You'll need to modify the PE file in memory, by using a PE parsing library or using directly the WINNT structures (exactly https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_file_header) and changing that bit directly and this is completely agnostic on how you're loading your PE file but you won't be able to load it directly from disk (if you're loading it from disk).