MS-DOS EXE
(→Identification) |
m (→Sample files) |
||
(16 intermediate revisions by 6 users not shown) | |||
Line 3: | Line 3: | ||
|subcat=Executables | |subcat=Executables | ||
|extensions={{ext|exe}} | |extensions={{ext|exe}} | ||
+ | |pronom={{PRONOM|x-fmt/409}} | ||
+ | |kaitai struct=dos_mz | ||
}} | }} | ||
− | '''MS-DOS EXE''' is an executable file format used mainly by [[MS-DOS]]. It is the successor | + | '''MS-DOS EXE''' (or '''DOS EXE'''), also known as '''MZ''' format, is an executable file format used mainly by [[MS-DOS]]. It is the successor of [[DOS executable (.com)|COM]]. A number of other executable formats are extensions or hybrids of it; see [[EXE]] for those formats. |
− | + | == Format details == | |
+ | === Header structure === | ||
+ | DOS EXE files begin with a fixed 28-byte header. | ||
+ | |||
+ | The field names in this table are taken from the IMAGE_DOS_HEADER structure defined in modern Windows SDKs. Byte order is little-endian. | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Offset !! Type !! Name !! Description and remarks | ||
+ | |- | ||
+ | |0 || byte[2] || e_magic || Signature - ASCII "<code>MZ</code>" or "<code>ZM</code>" | ||
+ | |- | ||
+ | |2 || uint16 || e_cblp || If nonzero, the number of bytes in the last page | ||
+ | |- | ||
+ | |4 || uint16 || e_cp || Number of 512-byte pages in the file, not counting the "overlay" segment | ||
+ | |- | ||
+ | |6 || uint16 || e_crlc || Number of relocations | ||
+ | |- | ||
+ | |8 || uint16 || e_cparhdr || Header size, in 16-byte paragraphs | ||
+ | |- | ||
+ | |10 || uint16 || e_minalloc || Minimum allocation | ||
+ | |- | ||
+ | |12 || uint16 || e_maxalloc || Maximum allocation | ||
+ | |- | ||
+ | |14 || int16 || e_ss || Initial SS register | ||
+ | |- | ||
+ | |16 || uint16 || e_sp || Initial SP register | ||
+ | |- | ||
+ | |18 || uint16 || e_csum || Checksum - Usually unused and set to 0 | ||
+ | |- | ||
+ | |20 || uint16 || e_ip || Initial IP register | ||
+ | |- | ||
+ | |22 || int16 || e_cs || Initial CS register | ||
+ | |- | ||
+ | |24 || uint16 || e_lfarlc || Relocation table offset, in bytes from the start of the file | ||
+ | |- | ||
+ | |26 || uint16 || e_ovno || Overlay number (or other custom data) - Usually unused | ||
+ | |} | ||
+ | |||
+ | === Special file positions === | ||
+ | When analyzing DOS EXE files, especially [[Executable envelopes|"envelope" formats]], it can be helpful to calculate certain special file positions. The positions given here are in bytes, from the start of the file. | ||
+ | |||
+ | * ''End of relocation table'': e_lfarlc + 4×e_crlc | ||
+ | * ''Start of code image segment'': 16×e_cparhdr | ||
+ | * ''Execution starting point'' (a.k.a. ''entry point''): 16×e_cparhdr + 16×e_cs + e_ip. Note that e_cs may be negative. | ||
+ | * ''Start of overlay segment'' (or ''end of code image segment''): If e_cblp=0, this is 512×e_cp. Otherwise, 512×(e_cp−1) + e_cblp. | ||
== Identification == | == Identification == | ||
− | + | See [[EXE#Identification]] for EXE format in general. | |
+ | |||
+ | It's not clear if there is any completely reliable way to identify a file as strictly DOS EXE, except in the negative (i.e., it looks like EXE, and is not a valid [[NE]], [[PE]], etc., file). | ||
+ | |||
+ | If the relocation table offset is from 28 to 63, or any segment (relocation table or code image) overlaps the four bytes starting at offset 60, it is pretty certainly DOS EXE. | ||
+ | |||
+ | Most non-DOS EXE files set the relocation table offset to 64, but it's probably not safe to rely on that. | ||
− | + | == Sample files == | |
+ | * {{DexvertSamples|executable/exe}} | ||
== Links == | == Links == | ||
Line 17: | Line 70: | ||
* [http://wiki.osdev.org/MZ MZ], from the OSDev Wiki | * [http://wiki.osdev.org/MZ MZ], from the OSDev Wiki | ||
* http://www.delorie.com/djgpp/doc/exe/ | * http://www.delorie.com/djgpp/doc/exe/ | ||
+ | * [http://www.textfiles.com/programming/FORMATS/exefs.pro DOS EXE format] | ||
+ | * [http://www.mitec.cz/exe.html EXE Explorer utility] | ||
+ | * [http://www.ctyme.com/intr/rb-2939.htm Ralf Brown's Interrupt Reference] has an extensive list of (mostly older) MZ-based executable formats | ||
[[Category:Microsoft]] | [[Category:Microsoft]] | ||
+ | [[Category:MS-DOS]] |
Latest revision as of 19:55, 16 February 2024
MS-DOS EXE (or DOS EXE), also known as MZ format, is an executable file format used mainly by MS-DOS. It is the successor of COM. A number of other executable formats are extensions or hybrids of it; see EXE for those formats.
Contents |
[edit] Format details
[edit] Header structure
DOS EXE files begin with a fixed 28-byte header.
The field names in this table are taken from the IMAGE_DOS_HEADER structure defined in modern Windows SDKs. Byte order is little-endian.
Offset | Type | Name | Description and remarks |
---|---|---|---|
0 | byte[2] | e_magic | Signature - ASCII "MZ " or "ZM "
|
2 | uint16 | e_cblp | If nonzero, the number of bytes in the last page |
4 | uint16 | e_cp | Number of 512-byte pages in the file, not counting the "overlay" segment |
6 | uint16 | e_crlc | Number of relocations |
8 | uint16 | e_cparhdr | Header size, in 16-byte paragraphs |
10 | uint16 | e_minalloc | Minimum allocation |
12 | uint16 | e_maxalloc | Maximum allocation |
14 | int16 | e_ss | Initial SS register |
16 | uint16 | e_sp | Initial SP register |
18 | uint16 | e_csum | Checksum - Usually unused and set to 0 |
20 | uint16 | e_ip | Initial IP register |
22 | int16 | e_cs | Initial CS register |
24 | uint16 | e_lfarlc | Relocation table offset, in bytes from the start of the file |
26 | uint16 | e_ovno | Overlay number (or other custom data) - Usually unused |
[edit] Special file positions
When analyzing DOS EXE files, especially "envelope" formats, it can be helpful to calculate certain special file positions. The positions given here are in bytes, from the start of the file.
- End of relocation table: e_lfarlc + 4×e_crlc
- Start of code image segment: 16×e_cparhdr
- Execution starting point (a.k.a. entry point): 16×e_cparhdr + 16×e_cs + e_ip. Note that e_cs may be negative.
- Start of overlay segment (or end of code image segment): If e_cblp=0, this is 512×e_cp. Otherwise, 512×(e_cp−1) + e_cblp.
[edit] Identification
See EXE#Identification for EXE format in general.
It's not clear if there is any completely reliable way to identify a file as strictly DOS EXE, except in the negative (i.e., it looks like EXE, and is not a valid NE, PE, etc., file).
If the relocation table offset is from 28 to 63, or any segment (relocation table or code image) overlaps the four bytes starting at offset 60, it is pretty certainly DOS EXE.
Most non-DOS EXE files set the relocation table offset to 64, but it's probably not safe to rely on that.
[edit] Sample files
[edit] Links
- Wikipedia article
- MZ, from the OSDev Wiki
- http://www.delorie.com/djgpp/doc/exe/
- DOS EXE format
- EXE Explorer utility
- Ralf Brown's Interrupt Reference has an extensive list of (mostly older) MZ-based executable formats