The Entry Point (AddressOfEntryPoint) defined in the PECOFF format for executable files refers to location in memory where the first instruction of execution will be placed. To find this address in both memory and disk (RawData) you must first locate the following values inside the executable file:
How to find the Entry Point in Memory
The memory location where the first instruction will be placed can be found using the following formula:
EP (Memory) = AddressOfEntryPoint + ImageBase
(assuming no relocation took place, in such a case the value may be different)
How to find the Entry Point in the file (RawData)
The location of this value is different than the one in memory because the PE format was designed to execute the code in memory not in disk (kind of obvious right?) so, for instance, this value shouldn’t be of any use except for example if you are doing reverse engineering or working with a virus sample. In memory, addresses are located in pages, usually of 4K (4096 Bytes), on disk you usually see blocks of 512 Bytes. With this on mind, the location of the EP can be found by using the following formula:
EP (File) = AddressOfEntryPoint – BaseOfCode + .text[PointerToRawData] + FileAlignment
In this case, you will notice that we first have to substract the value of BaseOfCode from AddressOfEntryPoint this is because this last value is assumed to be in memory at the offset specified by the first. You may corroborate this by checking the actual value of AddressOfEntryPoint and comparing it to the size of the .text section, sometimes it is not even contained in such section.
Next you have to add the value of FileAlignment because on disk, data is written in fixed blocks. The value of .text[PointerToRawData] refers to the value of the begining of the code section. You have to add this value because the memory value refers its offset to this address, if you don’t do this you may end up anywhere in the memory.
NOTE: Usually the values for .text[PointerToRawData] and FileAlignment are 0x200 (512 Bytes)
You can send us your questions and comments to our Twitter account: @redinskala where you’ll find more information and security tips.
Thanks for your visit!