Windows startup context

Question

Windows startup context

As soon as Windows loads the executable into memory and transfers to the entry point, do the values in the rehydres and the stack make sense? If so, where can I find more information about this?

+3

assembly x86 windows loader portable-executable

Nicolas repiquet May 17 '11 at 9:28

source share

2 answers

5 Windows Internals Fifth Edition Windows, . Windows .

, , . , : Agner Fog

+1

Pete 17 '11 11:07

Igor Skochinsky · Accepted Answer · 2011-05-17T10:45:45+0000

Officially, the registers at the entry point of the PE file do not have specific values. You should use the API, for example GetCommandLine, to get the necessary information. However, since the kernel function, which ultimately transfers control to the entry point, has not changed much from earlier times, some PE packers and malware have begun to rely on their own characteristics. Two more or less reliable registers:

EAX ( call eax )
EBX (PEB).

Windows startup context

More articles: