dump pe file from memory to disk

I want to dump a process im开发者_运维技巧age on the disk and then execute it

• i listed the process modules
• i used readprocessmemory to read the memory range of the exe

but when i try to execute it fails.how can i solve this?

thanks

You can't.

When you load a PE into memory, (I assume you're using MapAndLoad from ImageHlp.pas,) it loads the modules into memory and loads the data, but it doesn't go through and realign all the pointers the way the standard Windows Loader does.

The pointers in the app are all going to be relative addresses that don't actually point to what they're supposed to point to.

If you know enough about how RVAs and mappings work, you can analyze the code, but you can't actually execute it.