在notpad.exe PE标头中找不到AddressOfEntryPoint

时间:2018-08-29 17:07:49

标签: windows windows-10 executable portable-executable coff

我正在阅读Advanced .NET Debugging一书,该书引用了32位notepad.exe,并说我应该能够找到偏移量AddressOfEntryPoint处的0x108,该偏移量应为0x31F8的RVA。

我使用的是64位Windows 10,它似乎不存在,其值为0x0B02

当我尝试在ntsd中反汇编时,出现内存访问错误(我原以为notepad!WinMainCRTStartup

Microsoft (R) Windows Debugger Version 10.0.17134.12 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: \Windows\notepad.exe

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*C:\Symbols\Microsoft
*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*C:\Symbols\Microsoft
*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff6`50db0000 00007ff6`50df1000   notepad.exe
ModLoad: 00007ffe`72370000 00007ffe`72540000   ntdll.dll
ModLoad: 00007ffe`6f970000 00007ffe`6fa1c000   C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffe`6e880000 00007ffe`6ea9d000   C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffe`6fea0000 00007ffe`6ff42000   C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffe`6fbf0000 00007ffe`6fc8e000   C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffe`70af0000 00007ffe`70b49000   C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffe`720c0000 00007ffe`721e1000   C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffe`70690000 00007ffe`706c4000   C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffe`6f5c0000 00007ffe`6f741000   C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffe`721f0000 00007ffe`72355000   C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffe`6e860000 00007ffe`6e87e000   C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffe`70790000 00007ffe`70a58000   C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffe`6f750000 00007ffe`6f845000   C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffe`6eaa0000 00007ffe`6eb0a000   C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffe`706d0000 00007ffe`7078f000   C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ffe`6f4c0000 00007ffe`6f55c000   C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffe`700b0000 00007ffe`701aa000   C:\WINDOWS\System32\COMDLG32.dll
ModLoad: 00007ffe`60bd0000 00007ffe`60e4a000   C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.2273_none_7de240fc83403786\COMCTL32.dll
ModLoad: 00007ffe`6f850000 00007ffe`6f8f9000   C:\WINDOWS\System32\shcore.dll
ModLoad: 00007ffe`6fe40000 00007ffe`6fe92000   C:\WINDOWS\System32\SHLWAPI.dll
ModLoad: 00007ffe`70bb0000 00007ffe`720b5000   C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffe`6f1f0000 00007ffe`6f232000   C:\WINDOWS\System32\cfgmgr32.dll
ModLoad: 00007ffe`6eb10000 00007ffe`6f1e9000   C:\WINDOWS\System32\windows.storage.dll
ModLoad: 00007ffe`6e7d0000 00007ffe`6e81c000   C:\WINDOWS\System32\powrprof.dll
ModLoad: 00007ffe`6e820000 00007ffe`6e82f000   C:\WINDOWS\System32\kernel.appcore.dll
ModLoad: 00007ffe`6e840000 00007ffe`6e854000   C:\WINDOWS\System32\profapi.dll
ModLoad: 00007ffe`6a480000 00007ffe`6a605000   C:\WINDOWS\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffe`5cca0000 00007ffe`5ccb7000   C:\WINDOWS\SYSTEM32\FeClient.dll
ModLoad: 00007ffe`678f0000 00007ffe`67976000   C:\WINDOWS\SYSTEM32\WINSPOOL.DRV
ModLoad: 00007ffe`61120000 00007ffe`612e2000   C:\WINDOWS\SYSTEM32\urlmon.dll
ModLoad: 00007ffe`6e710000 00007ffe`6e73b000   C:\WINDOWS\SYSTEM32\bcrypt.dll
ModLoad: 00007ffe`62140000 00007ffe`623e5000   C:\WINDOWS\SYSTEM32\iertutil.dll
(40d8.452c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
ntdll!LdrInitShimEngineDynamic+0x360:
00007ffe`72442cc0 cc              int     3
0:000> u 00007ff2+0x0b02
00000000`00008af4 ??              ???
                       ^ Memory access error in 'u 00007ff2+0x0b02'

这是由于32/64位吗?

我该怎么办?

0 个答案:

没有答案