Kind of a simple question. How does a program like IDA locate the entry point of an exe? If I wanted to, could i find this with just a hex editor manually?
Asked
Active
Viewed 1.4k times
10
-
1Pe format (portable exectable)is documented exes are created in pe format. The header of pe contains a structure member called Address of Entrypoint – blabb Mar 05 '17 at 04:07
1 Answers
7
The entry point is defined in the PE header. The full docs for its layout can be found here https://msdn.microsoft.com/en-us/library/ms809762.aspx
The field is DWORD AddressOfEntryPoint. So you would have to work out the offset of this value from the start of the header based on the size of the preceding fields to find it in a hex editor
0xC0000022L
- 10,908
- 9
- 41
- 79
Unlogic
- 206
- 1
- 1