So I guess I'm a in-betweener, where as I love code and use RE to get whats needed done, so this lands me with quite a few ppl,but being a hobbyist with no real education in these area's, I still dont grasp it all yet..

So what I would like to discuss is the area that both share,
where coding is used to Produce a PE and RE is used to analyze that PE..

I remeber a paper about dawn to dusk, execution of a exe..

Is there a dawn to dusk analysis of the consumption of a PE before and after execution ?

I ask this cause there is a special case in ntdll for handling SecServ.dll loading and reading specific segments, but that was the rabbit, not the hole.

Ok, in the future I will post the reference to 'background' materials. ..

Yeah I remember that. For reference:

http://www.cs.miami.edu/~burt/journal/NT/processinit.html

What kind of thing are you looking for (Last edited by) BanMe? I mean, I'm sure you know about the Windows Research Kernel. So I'm thinking.. use it plus maybe that article and any others to map out all the known steps that can be picked out from PE inception -> PE death.

Then use Windbg or Softice to delve in/around/under/behind the various areas in search of your quest. Easier written than done of course, but other than that I have no clue..

Please define "consumption of a PE before and after execution"

hahaha, good answer
This is what I've been doing(just lost the fire for bit, it got very cold) and dont think Sin32 has died, its been rewritten into asm(ive removed all traces of boomerang as that made it more complicated then I could handle..I'm in productive testing of the data the that is returned by GpParse Routine(in GCBE by indy))... To add to my tls expedition,the Ldr routines for TlsData expect the .tls to look like the actual PE directory though the '.tls' section can be of any size only the initial portion of it is examined if present..to accuratly inform the Ldr of TlsData.. but what matters even more now is the call to LdrpInitializeTlsForThread, and controlling the values passed to it.

"The consumption of a PE"

Means that a PE is broken down into multiple sections that describe certain aspects of that specific File, as described above with tls, some circumstances require further information from the PE,like image relocations which seem to be of interest atm, but theres gotta be other things, where the PE is examined and parts are used in order to complete other tasks.

lol at my false assumptions just upon reading the PE docs... thats some good stuff.. thank you.

Finally about to answer the ' define "consumption of a PE before and after execution" '

Well I view it as in a 'process' we have a address space the main logic to the startup of the program. This file on disc is loaded by the windows loader,what is the neccessary path be to take advantage of these features.This is my goal, the means I use to accomplish my goals arent conventional..nor are they 'safe' or even correct at times.. But live,learn,love..this be my 'ends'.