How to find offset of Dword where Address Of entry point of an executable is stored

Question

There are disassemblers like CFF explorer which display the AddressOfEntryPoint of any executable along with the offset where it is stored. I know how to find that ( IMAGE_OPTIONAL_HEADER::AddressOfEntryPoint ), but I want to be able to find the offset in the PE exe file where the AddressOfEntryPoint is stored, programmatically.

I've read a lot about PE files here

But still can't figure it out. Help needed

Answer 1

Well it looks like @JosephH wrote correct answer, however that answer isn't correct correct and not nice at all.

To get EP you need to have read file as binary file (not all file is needed).

So assume you have unsigned char* data; which points to binary info.

IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER *)data;                       //cast it to DOS header (some calls it MZ header)
IMAGE_NT_HEADERS* peHeader = (IMAGE_NT_HEADERS *)&data[dosHeader->e_lfanew];  //find NT header (PE header)
DWORD ep = 0;
if (peHeader->Magic == 0x10b)  //32-bit executable
    ep = ((IMAGE_NT_HEADERS32 *)peHeader)->OptionalHeader.AddressOfEntryPoint;  //Get EP
else  //64-bit executable
    ep = ((IMAGE_NT_HEADERS64 *)peHeader)->OptionalHeader.AddressOfEntryPoint;  //Get EP

I think my answer is better because it is more self explaining, also you cannot trust offsets, because structures changes time to time. As you see even IMAGE_NT_HEADERS that I used is defined differently on x86 and x64 machines.

Answer 2

The offset of AddressOfEntryPoint would be the sum of the size of the sections that precede it: sizeof(IMAGE_DOS_HEADER)+sizeof(DWORD)+sizeof(IMAGE_FILE_HEADER)+sizeof(WORD)+sizeof(BYTE)+sizeof(BYTE)+sizeof(DWORD)+sizeof(DWORD)+sizeof(DWORD)