I noticed that despite the imagebase for win32 executables be 0x400000, Ida Pro only starts the analysis at 0x401000. What is before that and how can I change IDA's settings to start the analysis at the imagebase? Thank you.
1 Answer
PE executables start with a header block that consists of a little DOS exe stub (with its own little header), a structure called IMAGE_NT_HEADERS, and a section table. A normal PE has no 32-bit/64-bit executable code there, so IDA doesn't load the header block unless you check "manual load".
Relevant resources:
- Microsoft's PE COFF specification (currently at version 8.3)
- Matt Pietrek's classic Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
- its sequel An In-Depth Look into the Win32 Portable Executable File Format
- ReversingLabs' Undocumented PECOFF
400000h". The code section starts at +1000h.