Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Finding program entry point without symbols

298 views
Skip to first unread message

Spacen Jasset

unread,
May 14, 2004, 10:17:51 AM5/14/04
to
If I load of a PE file into windbg, what is the best way of finding the
program entry point. At the moment I do this:

!ntsdexts.dh <mod-name>

u image_base + entry point address


Andre Vachon [MS]

unread,
May 14, 2004, 12:45:33 PM5/14/04
to
There is a $exentry pseudo register in the debugger which has the value you
want.

For example:

0:000> ln @$exentry
(01031490) mspaint!wWinMainCRTStartup | (0103167a)
mspaint!type_info::`vector deleting destructor'
Exact matches:
mspaint!wWinMainCRTStartup = <no type information>

-Andre

"Spacen Jasset" <spacen...@yahoo.co.uk> wrote in message
news:c82kc2$j46$1...@newsg3.svr.pol.co.uk...

Spacen Jasset

unread,
May 16, 2004, 5:29:45 PM5/16/04
to
Thanks!


Spacen Jasset

unread,
May 17, 2004, 5:59:11 PM5/17/04
to
It doesn't seem to work unless there are symbols availble. e.g. :


For calc.exe symbols via MS website.

0:000> u $exentry
calc!WinMainCRTStartup:
01012420 55 push ebp
01012421 8bec mov ebp,esp
01012423 6aff push 0xff
01012425 6820160001 push 0x1001620
0101242a 6880270101 push 0x1012780
0101242f 64a100000000 mov eax,fs:[00000000]
01012435 50 push eax
01012436 64892500000000 mov fs:[00000000],esp

For a program I compiled with no symbols at all, scan.exe:

0:000> u $exentry
^ Bad register error in 'u $exentry'

I don't understand.


Andre Vachon [MS]

unread,
May 18, 2004, 1:36:11 AM5/18/04
to
Works fine for me for random images without symbols.

What version of the debugger are you using ?

-Andre

"Spacen Jasset" <spacen...@yahoo.co.uk> wrote in message

news:c8bch3$van$1...@newsg2.svr.pol.co.uk...

Spacen Jasset

unread,
May 18, 2004, 9:08:17 AM5/18/04
to

"Andre Vachon [MS]" <and...@online.microsoft.com> wrote in message
news:ODJZSoJP...@TK2MSFTNGP09.phx.gbl...

> Works fine for me for random images without symbols.
>
> What version of the debugger are you using ?
>
> -Andre

I am using:

dbgeng: image 6.2.0007.4, built Wed Apr 23 19:54:23 2003

There is a 'shipped with windows' version of NTSD in c:\windows\system32 but
that is older and that one isn't the one that is running. debugger version:
5.0.9, built: Thu Nov 18 21:21:22 1999


0:000> version
Windows 2000 Version 2195 (Service Pack 4) UP Free x86 compatible
Product: WinNt
Debug session time: Tue May 18 14:01:13 2004
System Uptime: 0 days 0:36:47.897
Process Uptime: 0 days 0:00:03.434
Kernel time: 0 days 0:00:00.000
User time: 0 days 0:00:00.010
Live user mode: <Local>
command line: '"C:\Program Files\Debugging Tools for Windows\windbg.exe" '
Debugger Process 0x610
dbgeng: image 6.2.0007.4, built Wed Apr 23 19:54:23 2003
[path: C:\Program Files\Debugging Tools for Windows\dbgeng.dll]
dbghelp: image 6.2.0007.4, built Wed Apr 23 19:54:10 2003
[path: C:\Program Files\Debugging Tools for Windows\dbghelp.dll]
DIA version: 30423
...
Extension DLL chain:
dbghelp: image 6.2.0007.4, API 6.0.6, built Wed Apr 23 19:54:10 2003
[path: C:\Program Files\Debugging Tools for Windows\dbghelp.dll]
ext: image 6.2.0007.4, API 1.0.0, built Wed Apr 23 19:54:01 2003
[path: C:\Program Files\Debugging Tools for Windows\winext\ext.dll]
uext: image 6.2.0007.4, API 1.0.0, built Wed Apr 23 19:54:04 2003
[path: C:\Program Files\Debugging Tools for Windows\winext\uext.dll]
ntsdexts: image 5.00.2195.6618, built Tue Nov 19 00:21:06 2002
[path: C:\Program Files\Debugging Tools for Windows\W2KFre\ntsdexts.dll]
Version 5.0 (Build 2195: Service Pack 4) Uniprocessor Free


Andre Vachon [MS]

unread,
May 19, 2004, 12:05:12 PM5/19/04
to
You should try the latest debugger, version 6.3.11, from our web site.

-Andre

"Spacen Jasset" <spacen...@yahoo.co.uk> wrote in message

news:c8d1pl$ma7$1...@news7.svr.pol.co.uk...

Spacen Jasset

unread,
May 19, 2004, 6:09:23 PM5/19/04
to

"Andre Vachon [MS]" <and...@online.microsoft.com> wrote in message
news:OqQGgsbP...@TK2MSFTNGP10.phx.gbl...

> You should try the latest debugger, version 6.3.11, from our web site.
>
> -Andre
>

Ok - That would be the new beta version.

I get the same result:

Microsoft (R) Windows Debugger Version 6.3.0011.2
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: C:\cvs\localhost\Wildfire\scan\Release\scan.exe
Symbol search path is:
.;srv*c:\debug_symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00435000 image00400000
ModLoad: 77f80000 77ffd000 ntdll.dll
ModLoad: 7c570000 7c628000 C:\WINNT\system32\KERNEL32.dll
(63c.3c8): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00131f04 ecx=00000009 edx=00000000 esi=7ffdf000
edi=00131f70
eip=77f813b1 esp=0012f984 ebp=0012fc98 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
77f813b1 cc int 3
0:000> ? $exentry
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for
image00400000
Bad register error at '$exentry'


Spacen Jasset

unread,
Jun 5, 2004, 8:46:20 AM6/5/04
to

"Spacen Jasset" <spacen...@yahoo.co.uk> wrote in message
news:c8gls8$994$1...@newsg1.svr.pol.co.uk...


Anyone know anything more about this problem? Using $@exentry when you hav
no debuging symbols.


Alexander Andrusenko

unread,
Jun 7, 2004, 3:34:12 AM6/7/04
to
Usually you can use $@exentry even if you have no debugging symbols.

But if your executable is malformed and file section with entry point does
not have IMAGE_SCN_CNT_CODE flag, "Bad register" error will appear. In such
cases you can use
image00400000+dwo(image00400000+dwo(image00400000+3c)+28)
expression instead of $@exentry register.

"Spacen Jasset" <spacen...@yahoo.co.uk> wrote in message:

news:c9sf8h$t6d$1...@news6.svr.pol.co.uk...

0 new messages