Hi guys ! I am new here, but i ve been more or less programming in inline assembler for quite a while...with VC++ that is
I need to find infrormation about the way Windows exe file are structured, and especially important is how does Windows load the exe file into memory and execute it.
Also, does it alter any parts of the file in memory, f.e. memory locations and such ? Any virtual to physical memory mapping ?
Another question is: When we deal with memory in Windows, those are virtual addresses not physical right ? Also does Windows use segment registers for any purpose ?
Thanks in advance !
I need to find infrormation about the way Windows exe file are structured, and especially important is how does Windows load the exe file into memory and execute it.
Also, does it alter any parts of the file in memory, f.e. memory locations and such ? Any virtual to physical memory mapping ?
Another question is: When we deal with memory in Windows, those are virtual addresses not physical right ? Also does Windows use segment registers for any purpose ?
Thanks in advance !
I think you can start by reading the PE tutorial written by Icezlion.
When windows load a PE, it read ths section information and maps it into the memory (according to the value set in the imagebase, which usually is 40000h). Then the exe is executed according to the entrypoint (add the value of the entrypoint to the value of the imagebase and windows execute from there).
All I know is that fs is used for tib and seh.
When windows load a PE, it read ths section information and maps it into the memory (according to the value set in the imagebase, which usually is 40000h). Then the exe is executed according to the entrypoint (add the value of the entrypoint to the value of the imagebase and windows execute from there).
All I know is that fs is used for tib and seh.
Thank a lot. But where is that tutorial to be found ?
And sorry i am not THAT 733t h0x0r, i dont know what is tib, seh and imagebase ? :) I ve only used inline assembly which is kind of simple when one is not a big expert in hardware architecture.
And sorry i am not THAT 733t h0x0r, i dont know what is tib, seh and imagebase ? :) I ve only used inline assembly which is kind of simple when one is not a big expert in hardware architecture.
http://win32asm.cjb.net
Tutorial Section -> PE Tutorials
Tutorial Section -> PE Tutorials
Here's the complete PE tutorials by Iczelion. http://win32assembly.online.fr/files/pe-tuts.zip
Well you heard of entrypoint I suppose? Imagebase is one of the value in the structures of PE format, IMAGE_NT_HEADER if I remember correctly. tib is the thread information block or something like that. (Waiting for f0dder to post something related to it, since I suppose he is the best man in explaining it.)
Some links with relations to TIB/TEB (searching msdn)
http://www.microsoft.com/msj/archive/S2CE.aspx
Links related to SEH (structured execption handling)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/frame_based_exception_handling.asp
PS I have attached the pecoff document by microsoft for you to read.
And sorry i am not THAT 733t h0x0r, i dont know what is tib, seh and imagebase ? :) I ve only used inline assembly which is kind of simple when one is not a big expert in hardware architecture.
Well you heard of entrypoint I suppose? Imagebase is one of the value in the structures of PE format, IMAGE_NT_HEADER if I remember correctly. tib is the thread information block or something like that. (Waiting for f0dder to post something related to it, since I suppose he is the best man in explaining it.)
Some links with relations to TIB/TEB (searching msdn)
http://www.microsoft.com/msj/archive/S2CE.aspx
Links related to SEH (structured execption handling)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/frame_based_exception_handling.asp
PS I have attached the pecoff document by microsoft for you to read.