user963228
Reputation: 652
PE header entry point RVA
I am having an issue with a non .net, x86 machine type, pe32 executable piece of malware I am analyzing on a virtual machine. The entry point field is not NULL so this rules out execution starting at 0x0.
When I break with a debugger at the entry point after creating the process in a suspended state, this program is managing to get calls out before the entry point. I am a little confused here, how exactly can this work?
Upvotes: 0
Views: 797
Answers (1)
Sergey Podobry
Reputation: 7189
TLS (thread-local-storage) callbacks are called by the system before the application entry point. Here is a blogpost about that.
Upvotes: 2
Related Questions
- Loading PE Headers
- VA (Virtual Address) & RVA (Relative Virtual Address)
- Is the pointer to the PE-header at offset 0x3c in the PE-file always set to 0x80?
- Address of entry point
- PE File Optional Header Magic Number
- PE file section RVA calculation
- Windows PE detemine entry point virtual address
- What is the Entry Point RVA in a .Net PE file?
- How to understand the PE header in this graph?
- About the entry point of PE in Windows