Thanks for the tip with _BaseProcessStart@4.
So the very top level of the stack is the original EBP. I'll have a look at it.
I found out that ebx originally points to the PEB (Process Environment Block). Its address is fixed at 0x7ffdf000 (it can be verified by getting fs:[0x30])
Found some stuff here (Something non-european):
hxxp://www.nsfocus.net/index.php?act=magazine&do=view&mid=2002
Why is 0x00010000 added to the initial stack frame??? Is it for checking Stack overflows?
Edit: The initial value of ebp seems to be zero, since it is the first value stored on the stack by _BaseProcessStart@4 is ebp.
My startup code looks like this:
Code:
$ ==> > . 55 PUSH EBP ; Main entrypoint
$+1 > . 8BEC MOV EBP,ESP
$+3 > . 6A FF PUSH -1
$+5 > . 68 001BE877 PUSH KERNEL32.77E81B00
$+A > . 68 97E5E777 PUSH KERNEL32.77E7E597 ; SE handler installation
$+F > . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
$+15 > . 50 PUSH EAX
$+16 > . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
$+1D > . 51 PUSH ECX
$+1E > . 51 PUSH ECX
$+1F > . 51 PUSH ECX
$+20 > . 53 PUSH EBX
$+21 > . 56 PUSH ESI
$+22 > . 57 PUSH EDI
$+23 > . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
$+26 > . 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
$+2A > . 6A 04 PUSH 4
$+2C > . 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
$+2F > . 50 PUSH EAX
$+30 > . 6A 09 PUSH 9
$+32 > . 6A FE PUSH -2
$+34 > . FF15 4C13E777 CALL DWORD PTR DS:[<&NTDLL.NtSetInformat>; ntdll.ZwSetInformationThread
$+3A > . FF55 08 CALL DWORD PTR SS:[EBP+8]
$+3D > . E9 365B0200 JMP KERNEL32.77EA7631
regards
PHaX