Entry point (address) of the main file (* exe) / module of a third-party application, how to find out? Is it possible without inject?

For better understanding: alt text

  • I do not know what kind of tool it is, but db 0F suggests that the built-in disassembler does not support some instructions) - insolor
  • Looked under ida, the same instructions are displayed. The cheatengine.org/downloads.php tool of course, it has a slightly different purpose, but minor edits are good enough for the course - Grigory Ponomarev
  • So this is not a code, but data - insolor

2 answers 2

Executable Format PortableExecutables (PE)

From the very beginning of the executable there is an MZ header in which you can find the offset of the beginning of the PE header. In the PE header there is a field 'Entry point RVA', this is the address of the entry point.

UPD. more precisely, RVA is a relative virtual address. To get the address of the entry point, add the value of the 'Image Base' field to the 'Entry point RVA' value.

UPD.2 is shorter, as I understand it, in the question the "entry point" means the ImageBase field, which for the executable is usually (maybe even always) 0x400000. How the file can load itself at some "random" address is not yet clear.

UPD.3 and the last WinXP did not know how to load the file at an arbitrary base address, Win7 - can (most likely Vista and Win8 too), provided there is a relocation table in the executable. So you need to run the program and somehow find out the base address of the download. Inject or not inject can not say, because I am not familiar with this area.

  • Sorry for the lack of a theoretical basis, something does not work. The executable, over which I execute executions, opened through PE Explorer, looked at the contents of the header. If I understood correctly, he showed me: Entry point RVA = 00522B19 Image Base = 00400000 Now, suppose the file is running. My actions? I climb at 00522B19, read a dword from it, add Image Base and this will be the entry point? But this does not work, because in the running application there is no address 00522B19. Or 00522B19 + 00400000? But there is no such address. Feel stupid. - Grigory Ponomarev
  • All applications written in Delphi, which I opened, the entry point of the main module is 00400000. Exe, over which I need to perform manipulations, is written in C ++ and this entry point is randomized each time ( - Grigory Ponomarev
  • Download PEiD , see what he says. Entry Point cannot be random - this is exactly the field by which the axis determines where to run the file from. - insolor
  • By the way, what is shown in the figure is not an entry point, but ImageBase + BaseOfCode> Now, suppose the file is running. My actions? I climb at 00522B19, read a dword from it, add Image Base and this will be the entry point? No, you need to open the file itself, and not to go into memory. - insolor
  • Just watch what task. I create a process with the CreateProcess function, launching some alien exe with the CREATE_SUSPENDED flag. I need to change the conditional transition to unconditional, roughly speaking, correct 1 byte and then I do ResumeThread. To do this, you have to inject a DLL into the process, and it would be easier to use the VirtualProtectEx + WriteProcessMemory combination so that you don’t have to drag the excess. This 1 byte is located in the process memory at the address "file.exe" + 116D1, but the .exe address in memory is always different. I have problems with terminology (PEiD invariably issues "00122B19" - Grigory Ponomarev

As I understood on the issue, you need this:

 ExtractFilePath (Application.ExeName);

Extracting the full path (address) exe "Schnick.

  • Oops, in the word Application made a mistake = ( - romanzi
  • Apparently misunderstood. See, there is my application, the executive file Project1.exe. This is how I get the entry point (perhaps expressed not quite correctly) of the main executive file: Form1.Caption: = IntToHex (dword (LoadLibrary (PAnsiChar (ExtractFileName (GetModuleName (0)))))), 4); do not be embarrassed, I love multi-storey nested functions .. Or like this: Form1.Caption: = IntToHex (dword (GetModuleHandle (nil)), 4); So - this is in my application. I’m not sure that this is at all the right thing at all, but it gives the correct address. And if I need to find out the same thing in someone else's application? - Grigory Ponomarev