Reputation: 10994
the executed section
How can I retrieve in exe file point where IP is pointing to on the beginning ?? Is it pointing always on the start of .text segment ?
Upvotes: 1
Views: 97
Answers (2)
Reputation: 6324
In most cases, IP points to the .text section. But this is not a requirement of the PE Specification. When a PE Section has been encrypted or compressed (like using UPX), IP is redirected to a proxy. By the way, the PE specification also gives a hint about the fact that the name of the Sections are not standardized. Some programs have 'unusual' sections names (e.g. Exeinfo PE).
Upvotes: 0
Reputation: 222017
Look at AddressOfEntryPoint member of the IMAGE_OPTIONAL_HEADER (see http://msdn.microsoft.com/en-us/library/ms680339.aspx) or start dumpbin.exe My.exe /headers and look at "entry point" in the "OPTIONAL HEADER VALUES" part of the output (6-th line from the beginning).
Upvotes: 1
Related Questions
- PE File Format - What is between the section table and the first section?
- Strange Value in EXE header
- Can't find COFF file header in hex editor
- Executable Section Headers - Meaning and use?
- Why I didn't get the "PE\0\0"?
- PE/COFF file extensions
- PE file section names
- Data in the data section of an exe
- About executable with debug information in windows
- executable sections flag