Does rcx always point to the PEB at the process entrypoint?

Question

64-bit Windows seems to call into an exe's entrypoint with rcx = r8 = &PEB and rdx = r9 = &entrypoint as if the entrypoint were declared entrypoint(PEB *peb, void *entry).

Are these details specified anywhere or are these undocumented and not to be relied on?

Answer 1

begin from vista windows call exe entry point with one param - address of PEB so signature of exe entry point must be next

ULONG __stdcall ep(PEB* ); 

because in x64 the first parameter is passed via rcx register - you view address of PEB here. values in another registers is random. but how i say - this is not related to 64-bit only. in all windows versions will be address of PEB in first parameter.

this is not documented, but i sure very reliable and will not changed in new windows versions.

in wdk exist nt.lib. this is static (not import) library - which implement tiny crt for applications which can use only ntdll.dll import (primary boot execute apps, like autochk.exe) this library implement entry point of exe (NtProcessStartup[W]) which than called your [w]main with usual parameters. and NtProcessStartup[W] current implementation use pointer to PEB from first (and single) agrument. assume we link with current nt.lib implementation. because this is static lib - code of NtProcessStartup[W] will be inside your exe and not changed already. if windows no more will pass address of PEB in first argument - all exe which link with current nt.lib will crash on startup. so i think this already not be changed