Strange value in exe header

Question

Strange value in exe header

I saw a strange value placed in the exe header

00000000 :4D 5A 90 00 03 00 00 00 - 04 00 00 00 FF FF 00 00
00000010 :B8 00 00 00 00 00 00 00 - 40 00 00 00 00 00 00 00
00000020 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000030 :00 00 00 00 00 00 00 00 - 00 00 00 00 A8 00 00 00
00000030 :00 00 00 00 00 00 00 00 - 00 00 00 00 A8 00 00 00 <-

I do not know what it is doing there A8, but if I replace it with zeros, my program will not be executed.

In a word: what is it?

Also, could you give me a link to the full MS DOS header?

+3

windows portable-executable

oneat Feb 02 '10 at 11:08

source share

3 answers

PE - MSDOS; 0x3C ( "A8" ) PE. , PE ( MS-DOS, ). . PE.

+4

Matteo Italia 02 . '10 11:24

, PE, 30 - MS-DOS, , "A8" , _IMAGE_DOS_HEADER, LONG e_lfanew; // File address of new exe header; "A8" IMAGE_NT_HEADER,

DWORD;
_IMAGE_FILE_HEADER FileHeader;
_IMAGE_OPTIONAL_HEADER Header;

The first two bytes are the original title in the MS-DOS executable file, as shown in this constant: WORD IMAGE_DOS_SIGNATURE = 0x5A4D; // MZ; IMAGE_NT_HEADER has this signature to determine that it is an executable for NT platforms DWORD IMAGE_NT_SIGNATURE = 0x00004550; // PE00;

You will find all this information in the header file pe.h.

What happened, you destroyed the value "A8", the bootloader could not find IMAGE_NT_HEADERand therefore could not.

+3

t0mm13b Feb 02 '10 at 11:36

source share

Atempcode · Accepted Answer · 2010-02-02T11:22:19+0000

A DWORD with an offset of 0x3c is the offset of the new EXE header, otherwise IMAGE_NT_HEADERS. Therefore, if you change the value there, the PE loader will not be able to find the new EXE header.

Strange value in exe header

More articles: