1

How can I retrieve in exe file point where IP is pointing to on the beginning ?? Is it pointing always on the start of .text segment ?

oneat
  • 10,778
  • 16
  • 52
  • 70

2 Answers2

1

Look at AddressOfEntryPoint member of the IMAGE_OPTIONAL_HEADER (see http://msdn.microsoft.com/en-us/library/ms680339.aspx) or start dumpbin.exe My.exe /headers and look at "entry point" in the "OPTIONAL HEADER VALUES" part of the output (6-th line from the beginning).

Oleg
  • 220,925
  • 34
  • 403
  • 798
0

In most cases, IP points to the .text section. But this is not a requirement of the PE Specification. When a PE Section has been encrypted or compressed (like using UPX), IP is redirected to a proxy. By the way, the PE specification also gives a hint about the fact that the name of the Sections are not standardized. Some programs have 'unusual' sections names (e.g. Exeinfo PE).

mox
  • 6,084
  • 2
  • 23
  • 35