Author: GuyHoozdis
Subject: Thread Start Address and Call Stack
Posted: 16 June 2013 at 8:21pm
You are correct; with respect to Notepad.
That is correct. The term module refers to an executable image that has been loaded into memory. Each of these file formats; *.exe, *.dll, and *.sys are based upon the same file format. It is called the Portable Executable File Format and is derived from the older COFF specification.
Glad I was able to help! Best of luck.
Subject: Thread Start Address and Call Stack
Posted: 16 June 2013 at 8:21pm
| Image may be NSFW. Clik here to view.  ThunderCats wrote:WinMainCRTStartup is starting at offset with regards to who? Notepad.exe module or something else. |
You are correct; with respect to Notepad.
| Image may be NSFW. Clik here to view. There is another example from Mark's book in which a thread named "rdyboost.sys+0xee0a" is consuming high cpu and he concluded that thread was starting in Rdyboost.sys module. |
That is correct. The term module refers to an executable image that has been loaded into memory. Each of these file formats; *.exe, *.dll, and *.sys are based upon the same file format. It is called the Portable Executable File Format and is derived from the older COFF specification.
Glad I was able to help! Best of luck.
