CHAPTER 68. WINDOWS NT CHAPTER 68. WINDOWS NT

Chapter 68

Windows NT

68.1 CRT (win32).

Does the program execution start right at themain()function? No, it does not. If we would open any executable file in

IDAor HIEW, we can seeOEPpointing to some another code block. This code is doing some maintenance and preparations

before passing control flow to our code. It is called startup-code or CRT code (C RunTime).

Themain()function takes an array of the arguments passed on the command line, and also one with environment variables.

But in fact a generic string is passed to the program, the CRT code finds the spaces in it and cuts it in parts. The CRT code

also prepares the environment variables arrayenvp. As forGUI^1 win32 applications,WinMainis used instead ofmain(),

having its own arguments:

int CALLBACK WinMain(

_In_ HINSTANCE hInstance,

_In_ HINSTANCE hPrevInstance,

_In_ LPSTR lpCmdLine,

_In_ int nCmdShow

);

The CRT code prepares them as well.

Also, the number returned by themain()function is the exit code. It may be passed in CRT to theExitProcess()

function, which takes the exit code as an argument.

Usually, each compiler has its own CRT code.

Here is a typical CRT code for MSVC 2008.

1 _tmainCRTStartup proc near
2
3 var_24 = dword ptr -24h
4 var_20 = dword ptr -20h
5 var_1C = dword ptr -1Ch
6 ms_exc = CPPEH_RECORD ptr -18h
7
8 push 14h
9 push offset stru_4092D0
10 call SEH_prolog4
11 mov eax, 5A4Dh
12 cmp ds:400000h, ax
13 jnz short loc_401096
14 mov eax, ds:40003Ch
15 cmp dword ptr [eax+400000h], 4550h
16 jnz short loc_401096
17 mov ecx, 10Bh
18 cmp [eax+400018h], cx
19 jnz short loc_401096
20 cmp dword ptr [eax+400074h], 0Eh
21 jbe short loc_401096
22 xor ecx, ecx

(^1) Graphical user interface