Home/ Questions/Q 4544386
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T15:39:51+00:00

I want to be able to find out where the code appearing at the

  • 0

I want to be able to find out where the code appearing at the entry point comes from by looking at the PE header.

For example, this piece of code is the starting code of my program(401000h)

00401000 >/$ 58             POP EAX                                  ;  kernel32.76E93677
00401001  |. 2D 77360100    SUB EAX,13677
00401006  |. BB 4A184000    MOV EBX,<JMP.&kernel32.VirtualProtect>

I want to know where this code comes from. How can I find it without manually scanning my file? (to complete the example, here’s an hexdump from the same file, the code now resides at 200h)

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000200   58 2D 77 36 01 00 BB 4A  18 40 00

How can I get from my virtual entry point (401000h) to the raw entry point (200h)?
I tried solving it myself of course. But I’m missing something. At first I thought:

.text[ Entrypoint (1000h) – VirtualOffset (1000d) ] = raw entrypoint
since the file alignment = 200, and the raw entry point was at the very start of my .text section, I thought I could use this for all the executables.

Solved, I made stupid mistakes when calculating the raw entry point

.text[ Entry point – Virtual offset ] + File Alignment = Raw entry point (relative to .text section)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To locate the offset in the file by yourself you need to have a look at the _IMAGE_NT_HEADERS structure. From this you can get the IMAGE_OPTIONAL_HEADER where
    the member you are interested in ImageBase is. You can change its value with EditBin /REBASE so there is little need to roll your own tool.

    For reference how you can determine the entry point via dumpbin.

    You can use
    dumpbin /headers 

    dumpbin /headers \Windows\bfsvc

Dump of file \Windows\bfsvc.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (x86)
               4 number of sections
        4A5BBFB3 time date stamp Tue Jul 14 01:13:55 2009
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             102 characteristics
                   Executable
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            9.00 linker version
            DE00 size of code
            2000 size of initialized data
               0 size of uninitialized data
            4149 entry point (01004149)
            1000 base of code
            F000 base of data
         1000000 image base (01000000 to 01011FFF)
            1000 section alignment
             200 file alignment

    For the entry point the image base value is relevant. But this is only true for images that are not ASLR enabled. For them a random base address (1 of 128 different ones) is choosen.
    The flag that indicates if an image is ASLR enabled is the value 0x40 which is set in DLL characteristics.

    8140 DLL characteristics

    For svchost.exe for example it is set for older programs it is generally 0.

    Yours,
    Alois Kraus

    • 0