I have been debugging some .exe and noticied that before I start debugging step by step, at the very beginning of the program, there are already some values loaded in the stack? What are these?
I am using OllyDbg and some of the "labels" for these values are:
Thanks.
The kernel gives special treatment to the "system DLL", a.k.a. ntdll. This DLL is mapped into every process no matter what. When the system starts the kernel looks up the address of RtlUserThreadStart in ntdll, and this serves as the lowest-level user-mode entry point of a new thread. This function then initializes the "Win32" subsystem. The address of your program's main function is stored in the executable header, and that is retrieved and called. Note that the you may have C runtime code as the entry point.
If there is C or C++ runtime, you'll get the stock 'CRTStartup' function, which will eventually get around to calling main.
Not sure about OllyDebug, but if you use the Windows debugging tools (windbg or ntsd) you can use the public Microsoft Symbol Server and you should be able to get symbols for the entire user mode stack.
SEH stands for Structured Exception Handling, so at the bottom there you have the end of the SEH chain and the global handler for Structured Exceptions. I'm not completely familiar with how it works since (even when I worked at MSFT) I have never used Structured Exceptions. However, if you think about it, it makes sense these things would be at the end of the stack there.
For extra bonus fun, use the Kernel Debugger (kd in the package linked above) and you can see the Kernal-mode stack as well. Good times.