How to find a (PE)Executable entry point in RAW memory?

Question

I'm working on a ASM project amd I want to know a portable executable program's entry point in raw memory. By raw memory I mean static memory like if I was editing the raw .exe file with a hex editor. From the program's PE table I can look for the entry called "EntryPoint:" but that entry contains the program's entry point once its loaded in memory! I need to find where the program is going to look for the first instructions in raw memory, in the disk. Some programs start their execution at the first address of the .text section, it is very usual but not always happens, thats why I want to know the entry point.

For working with that, I'm using the function MapViewOfFile from the windows API and loading an example.exe program in memory, then looking for its raw content.

I'm currently working with MASM using Radasm

thanks !

Answer 1

The entry point is given by AddressOfEntryPoint in the PE header, which gives you the virtual address of the entry point. If you want to figure out where in the file that is, you need to go through the section table and figure out which section contains that virtual address -- that is the section with a VirtualAddress and VirtualSize such that AddressOfEntryPoint is >= VirtualAddress and the offset AddressOfEntryPoint - VirtualAddress is < VirtualSize.

Once you've found that, just compute PointerToRawData + offset to figure out where it is in the file.