{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 smile是对你的礼貌 的问题《Windows initial execution context》','https://www.manongdao.com/q-671019.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Once Windows has loaded an executable in memory and transfert execution to the entry point, do values in registers and stack are meaningful? If so, where can I find more informations about it?
相关问题
- Inheritance impossible in Windows Runtime Componen
- how to get running process information in java?
- Is TWebBrowser dependant on IE version?
- How can I have a python script safely exit itself?
- I want to trace logs using a Macro multi parameter
相关文章
- 如何让cmd.exe 执行 UNICODE 文本格式的批处理?
- 怎么把Windows开机按钮通过修改注册表指向我自己的程序
- Warning : HTML 1300 Navigation occured?
- Bundling the Windows Mono runtime with an applicat
- Windows 8.1 How to fix this obsolete code?
- CosmosDB emulator can't start since port is al
- Is it possible to run 16 bit code in an operating
- How to print to stdout from Python script with .py
Chapter 5 of Windows Internals Fifth Edition covers the mechanism of Windows creating a process in detail. That would give you more information about Windows loading an executable in memory and transferring execution to the entry point.
I found this up-to-date reference that covers how registers are used in various calling conventions on various operating systems and by various compilers. It's quite detailed, and seems comprehensive: Agner Fog's Calling Conventions document
Officially, the registers at the entry point of PE file do not have defined values. You're supposed to use APIs, such as
GetCommandLineto retrieve the information you need. However, since the kernel function that eventually transfers control to the entry point did not change much from the old days, some PE packers and malware started to rely on its peculiarities. The two more or less reliable registers are:EAX points to the entry point of the application (because the kernel function uses
call eaxto jump to it)EBX points to the Process Environment Block (PEB).