Newly created suspended process's EIP is failing only on Windows XP - EIP under kernel32.dll image?

Question

My program works flawlessly on Windows Vista Ultimate and Windows 7, however it fails on Windows XP.

First, my application creates a process of a system file, it calls

Answer 1

CreateProcess(CREATE_SUSPENDED) only do partial initialization. You may try to VirtualAllocEx() the EIP region and explicitly COMMIT it, and then VirtualProtectEx, of course this is a quick hack, you can have a test, I'm not sure whether this can fix the problem. BTW, what's your real purpose to do so? If you intend to hook at early stage of process execution, patch the entry point of PE header is better, since when instruction control flow reach the entry point, the process must have completed its initialization, however this also has its downside, e.g. TLS callback is invoked before the entry point get executed.