|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Stay one step ahead of the competition. Evaluate and give feedback
on some of the hottest web development tools on the market today.
Make your opinion heard! Click
Here
|
|
#1
May 11th, 2008, 08:41 PM
|
||||
|
||||
|
The start of a PE image
I'm working on a disassembler that will support various formats, PE and Mach-O to start. I'm examining the data in these types of image files in a hex editor to see how it follows the specification. Mach-O is following 100% so far, however the PE image doesn't, or so it seems.
PE specification states: "The PE file header consists of an MS-DOS stub, the PE signature, the COFF File Header, and an Optional Header. A COFF object file header consists of a COFF File Header and an Optional Header. In both cases, the file headers are followed immediately by section headers." It soon goes on to state: "The MS-DOS Stub is a valid application that runs under MS-DOS and is placed at the front of the .EXE image [...] which prints out the message "This program cannot be run in DOS mode" when the image is run in MS-DOS." Sounds like that MS-DOS related message should be the first thing in a PE image, or at least a .EXE image. It is not. There is extra data before this message. To be exact, there are 73 bytes of date prior to this MS-DOS message. The PE specification mentions nothing of these 73 bytes. I'd also like to add that it isn't always 73 bytes. It depends on the file you are examining, this particular one just happens to have 73. Why does it seem much harder to understand PE as opposed to ELF or Mach-O? Does anyone know PE format that can help me solve my problem as to what the data at the very front of a PE image is used for?
|
|
#2
May 12th, 2008, 04:03 PM
|
||||
|
||||
|
According to the Girder Book, the MS-DOS stub is actually a small program which executes if you try to run the program from a command line, and not all compilers insert the exact same stub program. The text you are presumably looking at is actually in the program's .data segment at the end of the stub.
__________________
Rev First Speaker Schol-R-LEA;2 JAM LCF ELF KoR KCO BiWM TGIF #define KINSEY (rand() % 7) λ Scheme is the Red Pill Scheme in Short • Understanding the C/C++ Preprocessor Taming Python • A Highly Opinionated Review of Programming Languages for the Novice, v1.1 FOR SALE: One ShapeSystem 2300 CMD, extensively modified for human use. Includes s/w for anthro, transgender, sex-appeal enhance, & Gillian Anderson and Jason D. Poit clone forms. Some wear. $4500 obo. tverres@et.ins.gov
|
|
#3
May 13th, 2008, 08:52 AM
|
||||
|
||||
|
Thank you. I read over Girder however I still didn't quite understand what this data at the front of the whole file was, but I found another website that worked with this data a little and it cleared things up a bit.
http://www.reversing.be/article.php?story=20060708191417910 I'll learn more later on but thanks for the help.
|
|
| Viewing: Dev Shed Forums > Programming Languages - More > Other Programming Languages > The start of a PE image |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
