MS-DOS EXE
MS-DOS EXE (or DOS EXE), also known as MZ format, is an executable file format used mainly by MS-DOS. It is the successor of COM. A number of other executable formats are extensions of it; see EXE for those formats.
Contents |
Format details
Header structure
DOS EXE files begin with a fixed 28-byte header.
The field names in this table are taken from the IMAGE_DOS_HEADER structure defined in modern Windows SDKs. Byte order is little-endian.
Offset | Type | Name | Description and remarks |
---|---|---|---|
0 | byte[2] | e_magic | Signature - ASCII "MZ " or "ZM "
|
2 | uint16 | e_cblp | If nonzero, the number of bytes in the last page |
4 | uint16 | e_cp | Number of 512-byte pages in the file, not counting the "overlay" segment |
6 | uint16 | e_crlc | Number of relocations |
8 | uint16 | e_cparhdr | Header size, in 16-byte paragraphs |
10 | uint16 | e_minalloc | Minimum allocation |
12 | uint16 | e_maxalloc | Maximum allocation |
14 | int16 | e_ss | Initial SS register |
16 | uint16 | e_sp | Initial SP register |
18 | uint16 | e_csum | Checksum - Usually unused and set to 0 |
20 | uint16 | e_ip | Initial IP register |
22 | int16 | e_cs | Initial CS register |
24 | uint16 | e_lfarlc | Relocation table offset, in bytes from the start of the file |
26 | uint16 | e_ovno | Overlay number (or other custom data) - Usually unused |
Special file positions
When analyzing DOS EXE files, especially "envelope formats", it can be helpful to calculate certain special file positions. Positions given here are in bytes, from the start of the file.
- End of relocation table = e_lfarlc + 4×e_crlc
- Start of code image segment: 16×e_cparhdr
- Execution starting point: 16×e_cparhdr + 16×e_cs + e_ip. Note that e_cs may be negative.
- Start of overlay segment (or end of code image segment): If e_cblp=0, this is 512×e_cp. Otherwise, 512×(e_cp−1) + e_cblp.
Identification
An MS-DOS EXE file begins with an ASCII signature of "MZ
" (or, rarely, "ZM
"), followed by a series of 16-bit fields. The field at offset 24 (the relocation table offset) is usually (but apparently not always) less than 64, and at least 28. A value of 64 or more, or 0, suggests the format may not be MS-DOS EXE.
It's not clear whether there is any completely reliable way to identify an MS-DOS EXE, except in the negative (i.e. it begins with "MZ", and is not a valid NE, PE, etc., file).
Sample files
Links
- Wikipedia article
- MZ, from the OSDev Wiki
- http://www.delorie.com/djgpp/doc/exe/
- DOS EXE format
- EXE Explorer utility
- Ralf Brown's Interrupt Reference has an extensive list of (mostly older) MZ-based executable formats