Why Entry Point Address of executable in dumpbin is different from WinDbg?

Question

I'm trying to understand the mechanics of loading an executable file, so I did two different tests with notepad.exe

1) Running dumpbin command:

dumpbin /ALL "C:\Windows\System32\notepad.exe" /OUT:"C:\sample\log4.txt" 

I got the following values under OPTIONALHEADER VALUES:

1AC50 entry point (000000014001AC50) WinMainCRTStartup
1000 base of code
140000000 image base (0000000140000000 to 0000000140042FFF)

2) Running WinDbg:

x notepad!*CRT* 

I got these:

00b9bf9a          notepad!__mainCRTStartup (void)
00b9bf90          notepad!WinMainCRTStartup (<no parameter info>)
00ba04a4          notepad!msvcrt_NULL_THUNK_DATA = <no type information>
00ba050c          notepad!_IMPORT_DESCRIPTOR_msvcrt = <no type information>

I don't understand why 14001AC50 and 00b9bf90 are different values. Shouldn't they be the same AddressOfEntryPoint value?

Thanks in advance

Answer 1

There are a couple reasons for the discrepancy.

First, you are running dumpbin on the x64 version of notepad.exe, stored in System32 but you seem to be debugging the x86 notepad.exe stored in SysWoW64. Make sure you've launched the x64 or AMD64 version of WinDbg and that you're attaching to C:\Windows\System32\notepad.exe.

Once that's sorted out things should start making more sense but there's one more thing to keep in mind. The x command in WinDbg is displaying the virtual memory address of the symbol in the running process while dumpbin displays it as an offset from the module base address.

Some quick subtraction from the module base and things should match up.

Here's how it looks on my system:

C:\>dumpbin /ALL "C:\Windows\System32\notepad.exe" | find "entry point"
           1AC50 entry point (000000014001AC50) WinMainCRTStartup

---

0:000> x notepad!WinMainCRTStartup
00007ff6`4fe1ac50 notepad!WinMainCRTStartup (<no parameter info>)
0:000> ? notepad!WinMainCRTStartup - notepad
Evaluate expression: 109648 = 00000000`0001ac50