>>3
lol hotpatching support.
It's actually(x86):
mov edi,edi ; nop equivalent
push ebp
mov ebp,esp
which takes 5 bytes, or just enough for a longjmp.
This is used because MS wants to be able to hook exported functions live when they deliver updates to system libraries.
In the case the first 5 bytes contained non-relocatable code or jumps/calls, it would be a bit tricker to hook(but still possible).
This makes everyone which likes hooking system library functions happy and it provides MS with a reliable update mechanism for production systems where you can't afford to reboot after an update.