Which component patches code to the MASM compiled executable

[dedndave]

as i said - i have seen them AFTER ExitProcess   :bg

what switches are you using to assemble and link ???
whiich version of MASM are you using ???
it looks like a debug side-effect

[guro]

assemble: /c /coff /Cp /nologo /Fm /Zi /Zd
link: /SUBSYSTEM:WINDOWS /DEBUG /VERSION:4.0

predefined in WinAsm Studio, and yes they are used for DEBUG building, as i understood from this thread :bg

[Tedd]

In this instance it looks like it's purely for alignment (see how the address is pushed forward to a 16 byte boundary.)
If the 'filler' required were only a few bytes, then you might see a single useless instruction in there to take up the required bytes, e.g. "mov edi,edi", but since it's more than a few, you get a string of NOPs with a jump over them.

You might also see this done at the beginning of functions, which seems entirely pointless - why not just place the entry to the function ON the aligned boundary and stop inserting these nonsense fillers? And the reason, particularly in debugging, is to allow for monitoring function calls to be patched into the beginning of functions without needing to do anything fancy (shifting memory around, breakpoint hacks, etc.)

[guro]

@ Tedd

"You might also see this done at the beginning of functions, which seems entirely pointless"

The beginning is inside the function, not before right? (according at least to the example code or are you talking about a different situation?)

"why not just place the entry to the function ON the aligned boundary ... to allow for monitoring function calls to be patched into the beginning of functions without needing to do anything fancy ..."

Explain please the quoted statement further. As far as i understand, this 'stub' code (JMP[to reach actual code]+sequence of INT_3 instructions[for alignment]) is introduced at DEBUG assembler mode. Then the entry of the 'start' routine (according to the example) is located at dword-aligned boundary. If assembler is on RELEASE mode, then the stub code is omitted and first real instruction is placed again at dword-aligned boundary.

[Tedd]

"You might also see this done at the beginning of functions, which seems entirely pointless"

The beginning is inside the function, not before right? (according at least to the example code or are you talking about a different situation?)

Yes, or there would be no need for the jump (it would never be excuted.)

"why not just place the entry to the function ON the aligned boundary ... to allow for monitoring function calls to be patched into the beginning of functions without needing to do anything fancy ..."

Explain please the quoted statement further. As far as i understand, this 'stub' code (JMP[to reach actual code]+sequence of INT_3 instructions[for alignment]) is introduced at DEBUG assembler mode. Then the entry of the 'start' routine (according to the example) is located at dword-aligned boundary. If assembler is on RELEASE mode, then the stub code is omitted and first real instruction is placed again at dword-aligned boundary.

In debug mode, yes; for use with a debugging monitor, performance analysis, or something similar.
In a release version, there shouldn't be any need since you assume your program is correct at that point.
Although in certain situations it may be done in release version to allow for run-time patching.