Category : portable-executable

PIMAGE_NT_HEADERS ntheaders = (PIMAGE_NT_HEADERS)(PCHAR(virtualpointer) + PIMAGE_DOS_HEADER(virtualpointer)->e_lfanew); In the code above ,virtualpointer points to a memory location that has a PE file loaded . I want to know that how that why there is the virtualpointer in brackets in front of PIMAGE_DOS_HEADER ? How it handles the pointer and how is e_lfanew getting its value. I ..

Read more

To clarify, my specific confusion is centered around the fact that all instructions in a PE executable are written assuming the base image address is = 00400000. However, when debugging an executable, the addresses used adapt to whatever base image address is decided at runtime. I have opened a simple process at a base image ..

Read more

So after debugging a few executables on windbg I saw that sometimes the module name was different from the image name. Upon first loading the executable and setting a breakpoint before the entry point, the lmDvm command shows this. start end module name 00a30000 00a38000 Injection C (no symbols) Loaded symbol image file: C:UsersuserDownloadsBird.exe Image ..

Read more