Microsoft's documentation for the "Entry Point RVA" field in the PE optional header standard fields (section 25.2.3.1) states the field should be:

Microsoft的PE可选标头标准字段(第25.2.3.1节)中的“入口点RVA”字段的文档声明该字段应为:

RVA of entry point, needs to point to bytes 0xFF 0x25 followed by the RVA in a section marked execute/read for EXEs or 0 for DLLs

入口点的RVA,需要指向字节0xFF 0x25,然后是标记为EXE执行/读取的部分中的RVA,或者指向DLL的0

What does this mean? I have inspected a PE file produced by the c# compiler, and found an RVA pointing to the described bytes 0xFF 0x25, but the next four bytes are 0x00402000, outside the range of relative virtual memory, not a valid RVA as near as I can tell. I know there is a relocation (section 25.3.2) pointing to this value with type "IMAGE_REL_BASED_HIGHLOW", but I don't know what that means either. I also understand that it is supposed to invoke the "_CorExeMain" (I am working with an executable) of the mscoree.dll as described in section 25.3.1, but I don't understand how.

这是什么意思?我检查了一个由c#编译器生成的PE文件,发现一个RVA指向所描述的字节0xFF 0x25,但接下来的四个字节是0x00402000,超出相对虚拟内存的范围,而不是有效的RVA,因为我可以告诉。我知道有一个重定位(第25.3.2节)指向这个类型为“IMAGE_REL_BASED_HIGHLOW”的值,但我不知道这意味着什么。我也明白它应该调用mscoree.dll的“_CorExeMain”(我正在使用可执行文件),如第25.3.1节所述,但我不明白如何。

1 个解决方案

#1

---