我用简单的行helloworld.exe
printf("helloworld!\n");
和C.
然后我使用UltraEdit查看EXE文件的字节,并使用PE Explorer查看标题值。当谈到入口点地址时,PE Explorer会显示0x004012c0
。
Magic 010Bh PE32 Linker Version 1902h 2.25 Size of Code 00008000h Size of Initialized Data 0000B000h Size of Uninitialized Data 00000C00h Address of Entry Point 004012C0h Base of Code 00001000h Base of Data 00009000h Image Base 00400000h
但是在UltraEdit中,我在魔术0x000012c0
之后计算了16个字节后看到了0x010B
。
3F 02 00 00 E0 00 07 03 0B 01 02 19 00 80 00 00 00 B0 00 00 00 0C 00 00 C0 12 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 91 F6 00 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 C0 06 00 00 00 00 00 00 00 00 00 00
哪一个是正确的?
答案 0 :(得分:1)
只需阅读IMAGE_OPTIONAL_HEADER结构
<强> AddressOfEntryPoint 强>
指向图像库的入口点函数 relative 的指针 地址。对于可执行文件,这是起始地址。对于 设备驱动程序,这是初始化函数的地址。 入口点函数对于DLL是可选的。没有入口点时 现在,这个成员是零。
EntryPoint
的绝对地址为AddressOfEntryPoint ? ImageBase + AddressOfEntryPoint : 0
在你的案例中AddressOfEntryPoint == 12c0
和ImageBase == 400000
结果EntryPoint
的绝对地址为12c0+400000==4012c0