Why Is The PE Entry Point Not The Same As Main SEH and The _security_init_cookie [Patreon Unlocked]

Full tutorial with self-study examples and some more links in on Patreon here: www.patreon.com/posts/why-is-pe-entry-61343353

Can't wait for the video on calling conventions

Thank you for the breakdown!

I like your tutorials already, but could you pleeeease make font bigger at the beginning of every video?) It will save my eyes)

Nice vid! It's a Visual Studio stub. If you take the same code that was written in VS and compile it with something else (not MSVC), the stub will not be there obviously or you will get something else. But it is good to know this so you can identify the compiler used and know what you should analyze and what is just a compiler code.

Added to my programming playlist

Excellent as always!

This has always confused me especially when the binary is virtualized. Great tutorial, like always

Semi-related: you may have assumed that the code in main is the first code to run in the process. Obviously this video shows that's not true, but it's not the entire story either: there's also code that runs before the entry point, too. If you set x64dbg to break on the entry point and look at the stack, you'll see a return to KERNEL32.DLL on the top of the stack - because even before running the entry point, the Windows loader has to set up the Import Address Table, the TLS Index, etc. so that those things can be read from memory by the executable's code. So KERNEL32.DLL code runs before anything in the main executable file, a bit counterintuitively, and then it calls the entry point like a function pointer.
This fact is sometimes abused by IAT rebuilders in order to avoid calling LoadLibrary and GetProcAddress. The idea is if the code looks up in the stack to where the return to KERNEL32 would be, it can take that address and, knowing it's in KERNEL32 somewhere, keep looking backwards from that address until it finds the PE Header of KERNEL32 (by looking for its signature, "MZ.") Then it can manually traverse KERNEL32's export table to find the addresses of its exports. At this stage, you might use Toolhelp Snapshots to do the same for other DLLs. The return address can also be jumped to, as a way to exit the process without using any imports.

10:20 I think the moves are RCX, RDX, R8 R9 for the first 4 args on x64 and not R10

I'm guessing windows needs to do some fixing before it can call main, like setting up the heap etc...

Do you have any remote positions open for malware reverse engineers? I’ve been learning some stuff over the years from you and I think I’m ready 😤

Nice and useful video! (as alwys) Although I have a dumb question. The caller allocates "shadow space" only on x64 or it also does it in x86? I looked it at myself and my hypothesis is it's only a thing in x64 applications.

What do you think about switching the video thumbnails to dark mode?

Can you please go over how to analyze x86 ELF malware? I have not been able to analyze one. I use readelf, strace, ltrace, gdb for debugging and IDA for static code analysis. The symbols of binaries that I am looking at are stripped and I can’t tell what’s what. I figured I can try to catch every syscall using gdb, or look for int 80 instructions and look for the interesting syscalls I saw in strace and start analysis or something. Is that how you do it? I would like to know your methodology please.

What's stopping malware dev from executing code before the main as a form of "obfuscation"?