|
|
#1
03-31-2003, 04:53
|
|||
|
|||
How to make sure this is really the Entry Point
Howdy,
how do make sure that the Entry point reported by PE-Explorer and ProcDump, and also the one that SofICe Loader stops at is the real Entry Point for an EXE ..??? Tnx 
|
|
#2
03-31-2003, 05:29
|
||||
|
||||
|
You mean OEip? If so, disassemble at that address and see if it looks right. If the EXE looks very Microsoft written, then it's probably VisualC++ and so you can see if the entry point resembles the compilers startup code. The same for borland/etc.
|
|
#3
03-31-2003, 09:01
|
|||
|
|||
Sorry for my bad english
No i don't mean the Original Entry Point
What i really mean is : if goto the offset reported by procdump and PE-Explorer as Entry point, and changed it to 'CC' i.e. 'Int 3' . is there *ANY* chance of that code not being the FIRST thing that is run..??? meaning could the PE Header report an entry point but the EXE starts from another one..???
|
|
#4
03-31-2003, 20:26
|
||||
|
||||
|
No. What ever is reported as the entry point is guaranteed to be executed first. The only time this will be different is that if the flags for the section containing the entry point does not have the execute bit set, so it may cause an exception instead.
|
|
#5
04-02-2003, 03:26
|
|||
|
|||
|
Hmm... I'm really not sure about these things, but, the "initialization routines" in linked dlls could be run before EiP. And could contain code to trick you in ways... ?
Am I just talking completenonsense? I actualyy don't know squat about it, but I guess I read something somewhere or other... ? /Manko
|
|
#6
04-02-2003, 21:13
|
|||
|
|||
|
ghm. just place CC there, and when debugger stops- take a look at the stack - if there is a kernel32 or ntdll addresses then it is seems to be entrypoint. you also can refer to the PE file format. Moreover i've heard that in dll for example exists "Static objects" that creaed before execution reaches entrypoint, so you can try to dig this way.
|
|
#7
04-08-2003, 06:22
|
|||
|
|||
|
Manko is right. In Win32, when a process is created, the loader calls, if existing, the DLLEntryPoint function of each DLL. This happens when the process is initialized, when it exits (not if the process is terminated), when a thread is created, and when LoadLibrary and FreeLibrary are called. This method is used, for example, inside COMPEDIT.DLL in Multisim 2001 in order to terminate the process if a pirated serial number is stored in the Registry
But, anyway, the "process" entry point is the main EXE entry point; the DLLEntryPoint function cannot call the main EXE code before the process starts (i.e. when the loader puts the entry point VA inside the EIP register) Regards
|
|
#8
04-13-2003, 08:20
|
|||
|
|||
|
IMHO, DllMain can write to main-exe memory, so it can destroy CC at the EP. Correct me if I mistaked.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| entry point to function in comobj/activex dlls | Mitchjs | General Discussion | 5 | 12-15-2005 05:45 |
| Can I move Entry Point to the middle of the codz ? | netxman | General Discussion | 11 | 11-23-2005 08:51 |
| how to get the address of the entry point in an API | Warren | General Discussion | 6 | 08-30-2005 16:18 |
| Is it possable breakpoint on entry point of DLL | jadesk99 | General Discussion | 17 | 01-18-2004 12:08 |
Linear Mode
