How can I retrieve in exe file point where IP is pointing to on the beginning ?? Is it pointing always on the start of .text segment ?
+1
A:
Look at AddressOfEntryPoint member of the IMAGE_OPTIONAL_HEADER (see http://msdn.microsoft.com/en-us/library/ms680339.aspx) or start dumpbin.exe My.exe /headers and look at "entry point" in the "OPTIONAL HEADER VALUES" part of the output (6-th line from the beginning).
Oleg
2010-07-07 13:01:34
A:
In most cases, IP points to the .text section. But this is not a requirement of the PE Specification. When a PE Section has been encrypted or compressed (like using UPX), IP is redirected to a proxy. By the way, the PE specification also gives a hint about the fact that the name of the Sections are not standardized. Some programs have 'unusual' sections names (e.g. Exeinfo PE).
marc ochsenmeier
2010-09-18 14:43:37