PE Explorer 和 UltraEdit 中 Entry Point 的值 Address 不同
The value Address of Entry Point different in PE Explorer and UltraEdit
我用简单的一行 printf("helloworld!\n");
用 C 写了一个基本的 helloworld.exe
然后我使用 UltraEdit 查看 EXE 文件的字节,还使用 PE Explorer 查看 header 值。当涉及到 Address of Entry Point 时,PE Explorer 显示 0x004012c0.
Magic 010Bh PE32
Linker Version 1902h 2.25
Size of Code 00008000h
Size of Initialized Data 0000B000h
Size of Uninitialized Data 00000C00h
Address of Entry Point 004012C0h
Base of Code 00001000h
Base of Data 00009000h
Image Base 00400000h
但是在 UltraEdit 中我看到 0x000012c0 在魔术 0x010B 后计算 16 个字节后
3F 02 00 00 E0 00 07 03 0B 01 02 19 00 80 00 00
00 B0 00 00 00 0C 00 00 C0 12 00 00 00 10 00 00
00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00
04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00
00 10 01 00 00 04 00 00 91 F6 00 00 03 00 00 00
00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00
00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00
00 E0 00 00 C0 06 00 00 00 00 00 00 00 00 00 00
哪一个是正确的?
简单阅读IMAGE_OPTIONAL_HEADER结构
AddressOfEntryPoint
A pointer to the entry point function, relative to the image base
address. For executable files, this is the starting address. For
device drivers, this is the address of the initialization function.
The entry point function is optional for DLLs. When no entry point is
present, this member is zero.
所以EntryPoint的绝对地址是AddressOfEntryPoint ? ImageBase + AddressOfEntryPoint : 0
你的情况 AddressOfEntryPoint == 12c0 和 ImageBase == 400000
因为 EntryPoint 的绝对地址是 12c0+400000==4012c0
我用简单的一行 printf("helloworld!\n");
helloworld.exe
然后我使用 UltraEdit 查看 EXE 文件的字节,还使用 PE Explorer 查看 header 值。当涉及到 Address of Entry Point 时,PE Explorer 显示 0x004012c0.
Magic 010Bh PE32 Linker Version 1902h 2.25 Size of Code 00008000h Size of Initialized Data 0000B000h Size of Uninitialized Data 00000C00h Address of Entry Point 004012C0h Base of Code 00001000h Base of Data 00009000h Image Base 00400000h
但是在 UltraEdit 中我看到 0x000012c0 在魔术 0x010B 后计算 16 个字节后
3F 02 00 00 E0 00 07 03 0B 01 02 19 00 80 00 00 00 B0 00 00 00 0C 00 00 C0 12 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 91 F6 00 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 C0 06 00 00 00 00 00 00 00 00 00 00
哪一个是正确的?
简单阅读IMAGE_OPTIONAL_HEADER结构
AddressOfEntryPoint
A pointer to the entry point function, relative to the image base address. For executable files, this is the starting address. For device drivers, this is the address of the initialization function. The entry point function is optional for DLLs. When no entry point is present, this member is zero.
所以EntryPoint的绝对地址是AddressOfEntryPoint ? ImageBase + AddressOfEntryPoint : 0
你的情况 AddressOfEntryPoint == 12c0 和 ImageBase == 400000
因为 EntryPoint 的绝对地址是 12c0+400000==4012c0