PE File Format [2]

DOS-stub and signature
----------------------

The concept of a DOS-stub is well-known from the 16-bit-Windows-
Executables (which were in the "ne" Format). The stub is used
OS/2-executables, self-extracting archives and other applications, too.
For pe-files, it is a MS-DOS 2.0 compatible executable that almost
Always consists of about 100 bytes that output an error message such
"This program needs Windows NT ".
You recognize a DOS-stub by validating the DOS-header, being
Struct image_dos_header. The first 2 bytes shocould be the sequence "MZ"
(There is a # define image_dos_signature for this word ).
You distinguish a PE binary from other stubbed binaries by the trailing
Signature, which you find at the offset given by the header Member
'E _ lfanew '(which is 32 bits long beginning at byte offset 60). For OS/2
And windows binaries, the signature is a 16-bit-word; for PE files, it
Is a 32-bit-longword aligned at a 8-byte-boundary and having the value
Image_nt_signature # defined to be 0x00004550.

 

DOS-stub and signature

--------------------------

In a 16-bit Windows system, we all know that DOS-stub is an executable file called the ne format.

This stub is also used as a self-extracting document and other applications in the executable file of OS/2.

In the PE file, it is to be compatible with ms-dos2.0 executable files, including about 100 bytes, output "this program needs Windows NT" when an error is reported ".

You can identify a DOS-stub by verifying the DOS-header. There is an image_dos_header struct. The first two bytes should be "MZ ",
(There is a # define image_dos_signature for this word ).
The signature at the end (the member variable e_lfanew in the header, with an offset of 60 bytes and a length of 32 bits) can be used to differentiate a PE format from other stub.

In OS/2 or Windows binary files, this signature is 16 bits; if it is a PE file, it is 32 bits (8 bits), the value is image_nt_signature, define to 0x00004550