Windows初始执行上下文 [英] Windows initial execution context
问题描述
一旦Windows将可执行文件加载到内存中并将执行转移到入口点,寄存器和堆栈中的值是否有意义?如果是这样,我在哪里可以找到有关它的更多信息?
Once Windows has loaded an executable in memory and transfert execution to the entry point, do values in registers and stack are meaningful? If so, where can I find more informations about it?
推荐答案
正式地,PE文件入口点的寄存器没有定义的值.您应该使用诸如GetCommandLine
之类的API来检索所需的信息.但是,由于最终将控制权转移到入口点的内核功能与过去相比并没有太大变化,因此某些PE打包程序和恶意软件开始依赖于它的特性.两个或多或少可靠的寄存器是:
Officially, the registers at the entry point of PE file do not have defined values. You're supposed to use APIs, such as GetCommandLine
to retrieve the information you need. However, since the kernel function that eventually transfers control to the entry point did not change much from the old days, some PE packers and malware started to rely on its peculiarities. The two more or less reliable registers are:
-
EAX指向应用程序的入口点(因为内核函数使用
call eax
跳转到它)
EBX指向流程环境块(PEB).
EBX points to the Process Environment Block (PEB).
这篇关于Windows初始执行上下文的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!