Check for valid PE file

Tedd · January 04, 2005, 02:01:22 PM

Isn't the MZ stub optional? I mean, it's not strictly necessary and is only there in case you try to run it from DOS.
Anyway, point being that this code requires it and I don't think the PE does.

hutch-- · January 04, 2005, 05:10:16 PM

No, A member of the MZ header is required to locate the PE header. The PE specification includes the MZ 16 bit real mode header.

Jibz · January 04, 2005, 05:25:23 PM

Yes, the MZ header is required .. at least enough of it that the Windows PE loader interprets it as such -- i.e. if the MZ signature and the e_lfanew members are correct, the PE file should work. Of course it's best to use a valid stub executable to be safe :U.

billy · January 05, 2005, 01:34:30 AM

Check out the code in the MS .NET beta 2005 for the crt stub that gets called upon loading (it calls a C/C++ application's main() function). It contains the code to scan a PE, and will even determine if it has .NET managed code in it. FYI, 2005 beta is a free download, but you must agree to send feedback.

hutch-- · January 05, 2005, 01:42:43 AM

The 2005 beta does not allow distribution of code developed using it. The licence is specific to testing and giving fedback to Microsoft.

billy · January 05, 2005, 01:54:03 AM

Quote from: hutch-- on January 05, 2005, 01:42:43 AM
The 2005 beta does not allow distribution of code developed using it. The licence is specific to testing and giving fedback to Microsoft.

I didn't mean to distribute the code, but it can be studied to see how the PE header is layed out.

Tedd · January 05, 2005, 01:11:59 PM

Quote from: hutch-- on January 04, 2005, 05:10:16 PM
No, A member of the MZ header is required to locate the PE header. The PE specification includes the MZ 16 bit real mode header.

Yes, but if the stub isn't there, then the PE header would start at offset 0 :bg (...usually)

hutch-- · January 05, 2005, 02:32:41 PM

:bg

Quote
Yes, but if the stub isn't there, then the PE header would start at offset 0 (...usually)

This would be fine if you wrote your own EXE file loader but Microsoft PE specs require an MZ header, properly a dos stub and without it, it ain't a PE file. Try it through any version windows loader and it will go bang.

Tedd · January 06, 2005, 01:21:52 PM

Fairy nuff :8)

chetnik · January 06, 2005, 08:09:27 PM

PE executable should start with MZ header, and that's what it sais in PE specification. I haven't seen, yet, PEexecutable without MZ at the begining.

Best regards =)

p.s.
I don't like MapViewOfFile =))) I like old Unix file handling =))))))))))

Polizei · January 23, 2005, 01:09:57 AM

Well donkey, you could install a SEH frame when checking the file for a VALID additional header (LE/PE/etc.) i had some files on my PC that don't have a GOOD DOS-header and the [e_lfanew] member was junk :( so that causes a "General Protection Fault" (Win98) By the way, I use the same code when openning PE files in my PElib :>

chetnik · January 24, 2005, 03:06:38 PM

Yap I do the same thing in my file finder/check valid PE code, install SEH, and if progy fails to read from memory where lefnew is pointing(bad mz header) it just unmaps file, closes handles and continues with search :dazzled: :dazzled:

Best regards

News:

Check for valid PE file

Tedd

hutch--

Jibz

billy

hutch--

billy

Tedd

hutch--

Tedd

chetnik

Polizei

chetnik