how exe works and how the call for dll and exe file addressing are made

• How does a Windows-based executable file works开发者_StackOverflow?
• How is the starting address found in the executable file?
• For any file execution where are the addresses stored and how can we read those addresses?
• How the call and ret for any dll or exe file works?

Give me tips to use ida pro disassembler.

The virtual start address of the program is recorded in the executable's header. Any header viewer program that understands the structure of these can easily show them, such as HT (http://hte.sf.net/) — just to name one. IDAPro may have something similar.

How the call and ret for any dll or exe file works

This actually does depend on whether it's a DLL or an EXE in question.

When Windows' module loader finishes loading a DLL, it calls the start address (known as 'DllMain') of the DLL with the DLL_PROCESS_ATTACH parameter ( see the documentation of DllMain ). If DllMain returns 1, the loader continues on.

However when you launch an EXE, the system spawns a new process and maps ntdll.dll into that process' address space, then spawns the main thread running from NTDLL's start address. That thread then performs more initialisation, loads the EXE file (plus any DLLs listed in its import table) and calls the function identified by the EXE's start address. When that function returns, NTDLL then calls NtTerminateProcess which kills all running threads and closes the process.

This EXE launching process may be difficult to observe with a user-mode debugger; some debuggers struggle to break in those early stages of process initialisation.