I have created a simple .exe file with flat assembler which is actually doing nothing but just having one instruction
format pe64
use64
section '.text' code executable readable
mov eax, 20
After created i opened the executable in Ghidra which detected the Language automatically as PE -> x86:LE:64:default:windows which seems OK for me.
Now the very first Address is 00400000 which seems also fine based on the PE Format from MSDN (default ImageBase).
When I now go down to the VirtualAddress property which should give me the Location of the Entry Function relative to the ImageBase, Ghidra shows the following 4 Bytes: 00 10 00 00
Now, maybe I do the math incorrect but shouldn't the Offset calculation then be: 0x400000 + 0x100000 which is 0x500000 ?
Well this Offset is not in my Image. When I go to the EntryPoint (main function) in Ghidra, it is at Offset 0x401000.
So is my math wrong ? If I remove 1 Byte from the VirtualAddress property it is exactly that location but then it would be 3 Bytes only but the PE Format says the property is 4 Bytes.