打开目标进程 ->获取进程pbi -> pbi中找peb ->peb中找LoaderData ->LoaderData 里面有个InLoadOrderModuleList ，这个是本进程中按次序进入内存的模块信息的链表，第一个就是当前exe ，这个模块信息中 有个BaseAddress ，就是exe虚拟内存基址-> 通过这个基址找dos_header -> dos_header中找 pe_header -> pe_header.OptionalHeader.Magic 就是要判断的 IMAGE_NT_OPTIONAL_HDR32_MAGIC or IMAGE_NT_OPTIONAL_HDR64_MAGIC

 

typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);
        PROCNTQSIP NtQueryInformationProcess;
        NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(GetModuleHandle("ntdll","NtQueryInformationProcess";
        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 3580);

        PROCESS_BASIC_INFORMATION pbi;
        PEB buf;
        DWORD readnum;
        PEB_LDR_DATA ldrData;

        NtQueryInformationProcess(hProcess,0,(PVOID)&pbi,sizeof(PROCESS_BASIC_INFORMATION),NULL);
        ReadProcessMemory(hProcess,pbi.PebBaseAddress,&buf,sizeof(PEB),&readnum);
        ReadProcessMemory(hProcess,buf.LoaderData,&ldrData,sizeof(PEB_LDR_DATA),&readnum);

        LDR_MODULE ldrModule;

        LIST_ENTRY* pListEntry=ldrData.InLoadOrderModuleList.Flink;
       
        ReadProcessMemory(hProcess,pListEntry,&ldrModule,sizeof(LDR_MODULE),&readnum);
               
        LPVOID pBase=ldrModule.BaseAddress;
        IMAGE_DOS_HEADER dos_header;
        ReadProcessMemory(hProcess,pBase,&dos_header,sizeof(IMAGE_DOS_HEADER),&readnum);

        IMAGE_NT_HEADERS pe_header;
        ReadProcessMemory(hProcess,(LPVOID)((LONG)pBase + dos_header.e_lfanew),&pe_header,sizeof(IMAGE_NT_HEADERS),&readnum);

        cout<<hex<< pe_header.OptionalHeader.Magic ;
        cout<< IMAGE_NT_OPTIONAL_HDR32_MAGIC ;