Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have been debugging some .exe and noticied that before I start debugging step by step, at the very beginning of the program, there are already some values loaded in the stack? What are these?
I am using OllyDbg and some of the “labels” for these values are:
Thanks.
The kernel gives special treatment to the “system DLL”, a.k.a. ntdll. This DLL is mapped into every process no matter what. When the system starts the kernel looks up the address of RtlUserThreadStart in ntdll, and this serves as the lowest-level user-mode entry point of a new thread. This function then initializes the “Win32” subsystem. The address of your program’s main function is stored in the executable header, and that is retrieved and called. Note that the you may have C runtime code as the entry point.
If there is C or C++ runtime, you’ll get the stock ‘CRTStartup’ function, which will eventually get around to calling
main.