Text only | Text with Images

The MASM Forum Archive 2004 to 2012

General Forums => The Workshop => Topic started by: AeroASM on May 11, 2005, 06:17:32 AM

Title: Questions about the PE file format
Post by: AeroASM on May 11, 2005, 06:17:32 AM
1. Where can I find proper documented information on all the elements of IMAGE_DOS_HEADER?
2. In particular, where is the offset of the DOS stub stored?
3. Must the section table immediately follow the IMAGE_NT_HEADERS?

Thanks to all.
Title: Re: Questions about the PE file format
Post by: hutch-- on May 11, 2005, 06:25:23 AM
Aero,

Microsoft Portable Executable and Common Object File Format Specification.

Do a google search for a WORD doc format file PECOFF.DOC. Its on the Microsoft site somewhere.

The DOS or MZ header is at the beginning of a PE file and the last element of the structure has the offset of the PE header that follows.
Title: Re: Questions about the PE file format
Post by: thomasantony on May 11, 2005, 07:32:02 AM
Hi Aero,
    The PE file has a DOS stub that is basically a small DOS proggy that displays the message "This program needs MS Windows" etc. The offset of the PE Header is stored at offset 3Ch. THat DOS header  should be atleast 64 bytes long.(40h)

Thomas :U
Title: Re: Questions about the PE file format
Post by: Vortex on May 11, 2005, 07:41:00 AM
Hi Aero,

Did you check Iczelion's PE tutorials?

Quote
Overview of PE File Format
Detecting a Valid PE File
File Header
Optional Header
Section Table
Import Table
Export TableĀ 

http://spiff.tripnet.se/~iczelion/pe-tut1.html
Title: Re: Questions about the PE file format
Post by: pbrennick on May 11, 2005, 10:55:25 AM
Hi Aero,
Take a look at the MSDN online database.  I found http://msdn.microsoft.com/msdnmag/issues/02/02/pe/default.aspx and some other interesting stuff.

hth:
Paul
Title: Re: Questions about the PE file format
Post by: Tedd on May 11, 2005, 11:00:32 AM
http://www.wotsit.org/download.asp?f=winf10
Title: Re: Questions about the PE file format
Post by: QvasiModo on May 11, 2005, 06:17:12 PM
http://www.windowsitlibrary.com/Content/356/11/toc.html
Title: Re: Questions about the PE file format
Post by: AeroASM on May 12, 2005, 05:38:55 PM
Thanks everybody, but I had already found similar information myself. I was looking for answers to my specific questions.
Title: Re: Questions about the PE file format
Post by: Jibz on May 12, 2005, 05:54:18 PM
1. You'd need to dig up some DOS exe format specification to get those, if you have any specific questions, try asking
2. The DOS stub is the first thing in a PE executable, so it always starts at offset 0.
3. Yes. You find the section table by adding SizeOfOptionalHeaders to the offset of the optional header in IMAGE_NT_HEADERS.
Title: Re: Questions about the PE file format
Post by: AeroASM on May 12, 2005, 08:33:41 PM
Quote from: Jibz on May 12, 2005, 05:54:18 PM
2. The DOS stub is the first thing in a PE executable, so it always starts at offset 0.

I meant, the executable code. I couldn't find anywhere in the DOS header where the offset of the DOS code is stored.
Title: Re: Questions about the PE file format
Post by: Jibz on May 12, 2005, 08:58:28 PM
The image comes right after the header, so that's at e_cparhdr*16, where e_cparhdr is the 'header size in paragraphs' member of the DOS exe header.
Title: Re: Questions about the PE file format
Post by: thomasantony on May 14, 2005, 05:42:36 AM
*Usually* the DOS stub code starts at offset 20h and continues till 3Ch for the smallest stub. But MS's stub continues after that till 60h or something.

Thomas
Text only | Text with Images