1

I'm trying to understand what the AddressOfEntryPoint in the COFF header.

I have a "nothing" .NET exe:

class Program
{
    public static void Main()
    {
    }
}

(I've compiled it as an x86 application)

The values I get for the standard fields in the COFF header are:

COFF - Optional Header Standard Fields
======================================

UInt16    Magic                         0x0000010B
Byte      MajorLinkerVersion            0x30
Byte      MinorLinkerVersion            0x0
UInt32    SizeOfCode                    0x0400
UInt32    SizeOfInitializedData         0x0800
UInt32    SizeOfUninitializedData       0x0000
UInt32    AddressOfEntryPoint           0x2356
UInt32    BaseOfCode                    2000
UInt32    BaseOfData                    4000

The AddressOfEntryPoint is 0x2356.

The file isn't long enough for this value to be an offset from anywhere, so what it is it?

(Files at: https://drive.google.com/open?id=1VClORkJKyGhd7o3YBPbCZEni1ad_mncl)

BanksySan
  • 27,362
  • 33
  • 117
  • 216
  • Subtract BaseOfCode to get a happier number. – Hans Passant Sep 07 '18 at 13:27
  • Back in ~9x/XP era, when the OS didn't "know" about .NET, there was a CLR loader stub pointed to by the COFF header. I think it's still in there but irrelevant to how .NET code starts running on modern windows. – Damien_The_Unbeliever Sep 07 '18 at 13:35
  • Thanks @HansPassant. That gives me `0x356` which seems to point to some data (maybe the strings table??). I was expecting it to point to `_CoreExeMain` or `mscorelib` at `0x53A`. – BanksySan Sep 07 '18 at 13:37
  • Ought to be a tiny sliver of machine code, just a 5 byte JMP instruction to the mscoree.dll function. First byte should be 0xE9. Doesn't actually get used, but that's another story. – Hans Passant Sep 07 '18 at 13:45
  • @HansPassant for me, `0x356` is in the middle of zero'd bytes. – BanksySan Sep 07 '18 at 14:04

1 Answers1

0

In order to calculate the offset of EntryPoint in the file, you need to subtract BaseOfCode but also add PointerToRawData from .text section. For this file, the last one is 0x200 and with the previous calculations it gives 0x556 which points to a nice jmp to _CorExeMain.

enter image description here

Paweł Łukasik
  • 3,893
  • 1
  • 24
  • 36