We help IT Professionals succeed at work.

How to find a Entry Point in a PE Win32 File ?

blackdoor
blackdoor asked
on
Hi !

I need found the PE Win32 Entry point (offset), but I dont can use the FileMapping API functions... because I need use this in MS-DOS mode...

The C/C++ source code for locate the entry point offset is good...

Thanks
Comment
Watch Question

BRONZE EXPERT
Author of the Year 2009
Commented:
See:
http://www.microsoft.com/MSJ/backissues96.asp

The entire spec is laid out in MDSN.  Search for
"Microsoft Portable Executable"

I hope you are not planning to use this information to create a computer virus.

-- Dan

Author

Commented:
Hi !

No... I'm working in a antivirus program...
But, I'm working in ms-dos now...
After this version ready, I'm going to Windows version..

Thanks

Author

Commented:
Hi !

Thanks for the reply, but the link do you have, use the FileMapping API functions :-(

I need get the entry point without use API functions, because I need use this in MS-DOS mode...

Thank you


BRONZE EXPERT
Author of the Year 2009

Commented:
Here is a direct link to the deetailed specification, because searching MSDN is a complicated process:

  http://www.microsoft.com/HWDEV/hardware/PECOFF.htm

Yes, most articles that discuss PE and COFF will use memory-mapped files because that is a sensible way to access an EXE file.  But that is just an implementation detail.  The same articles discuss the layouts of the headers and illustrate how to access them.  A file offset is a file offset, whether you have mapped it into memory or not.

-- Dan

Author

Commented:
Thanks... but the value inside the PE is in RVA and not the real offset... :-(

BRONZE EXPERT
Author of the Year 2009

Commented:
You don't really want to try very hard do you?  You know, a successful virus writer needs to be able do some kinda technical stuff.  Ya know, read specs and such icky bunk.  Maybe you should ask that nerdy guy over there in the lunchroom....

But I'll cut you some slack.

As the document clearly states, says, after the PE signature, there is a 20-byte COFF-file header.  After that comes the Optional Header.  Offset 16 of that is a four-byte field named AddressOfEntryPoint.  Hmmm, I wonder if that has anything to do with the Entry Point of the program.  Unlikely, but, what the heck... lets take a little looksee.  Those four bytes in my little test EXE are F0 B8 01 00.

But that can't possibly be a file offset!  The doc says that it is one of those mysterious RVAs Oh No!  What are those letters mixed in the the numbers?  Oh ya, hex or voodoo numbers, something like that.  Anyway, the file is not 4038590720 bytes long! Hmmm... I wonder if perhaps the number are reversed... a nerdy guy once talked about Intel and "Big Indians"  It was all so confusing...

-- Dan

Author

Commented:
Hi !

I dont found solution for this problem ... but I'm studing the doc file do you post to me...

thanks
BRONZE EXPERT
Author of the Year 2009

Commented:
hi blackdoor,
Do you have any additional questions?  Do any comments need clarification?

-- Dan

Commented:
I think you forgot this question. I will ask Community Support to close it unless you finalize it within 7 days. Unless there is objection or further activity,  I will suggest to accept "DanRollins" comment(s) as an answer.

If you think your question was not answered at all, you can post a request in Community support (please include this link) to refund your points.
The link to the Community Support area is: http://www.experts-exchange.com/commspt

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
======
Werner
Force-accepted by
Netminder
CS Moderator

Explore More ContentExplore courses, solutions, and other research materials related to this topic.