Once Windows has loaded an executable in memory and transfert execution to the entry point, do values in registers and stack are meaningful? If so, where can I find more informations about it?
Add a comment
|
2 Answers
Officially, the registers at the entry point of PE file do not have defined values. You're supposed to use APIs, such as GetCommandLine to retrieve the information you need. However, since the kernel function that eventually transfers control to the entry point did not change much from the old days, some PE packers and malware started to rely on its peculiarities. The two more or less reliable registers are:
EAX points to the entry point of the application (because the kernel function uses
call eaxto jump to it)EBX points to the Process Environment Block (PEB).
4 Comments
ST3
Good info, but do you know anything about x64?
Igor Skochinsky
@ST3 No, but you can probably check in the debugger.
ST3
Ok, but one question, are you sure
EAX points to EP? I have seen CALL EDX in my machine.Igor Skochinsky
Okay, I guess it's changed at some point. If you can figure out when, feel free to edit the answer.
Chapter 5 of Windows Internals Fifth Edition covers the mechanism of Windows creating a process in detail. That would give you more information about Windows loading an executable in memory and transferring execution to the entry point.
I found this up-to-date reference that covers how registers are used in various calling conventions on various operating systems and by various compilers. It's quite detailed, and seems comprehensive: Agner Fog's Calling Conventions document
1 Comment
aalku
The link is broken. I think this is it: agner.org/optimize/calling_conventions.pdf