MS-DOS EXE

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
(Format details)
Line 47: Line 47:
  
 
=== Special file positions ===
 
=== Special file positions ===
When analyzing DOS EXE files, especially "[[Executable envelopes|envelope formats]]", it can be helpful to calculate certain special file positions. Positions given here are in bytes, from the start of the file.
+
When analyzing DOS EXE files, especially [[Executable envelopes|"envelope" formats]], it can be helpful to calculate certain special file positions. Positions given here are in bytes, from the start of the file.
  
 
* ''End of relocation table'' = e_lfarlc + 4×e_crlc
 
* ''End of relocation table'' = e_lfarlc + 4×e_crlc
Line 55: Line 55:
  
 
== Identification ==
 
== Identification ==
An MS-DOS EXE file begins with an ASCII signature of "{{magic|MZ}}" (or, rarely, "{{magic|ZM}}"), followed by a series of 16-bit fields. The field at offset 24 (the ''relocation table offset'') is ''usually'' (but apparently not always) less than 64, and at least 28. A value of 64 or more, or 0, suggests the format may not be MS-DOS EXE.
+
See [[EXE#Identification]] for EXE format in general.
  
It's not clear whether there is any completely reliable way to identify an MS-DOS EXE, except in the negative (i.e. it begins with "MZ", and is not a valid [[NE]], [[PE]], etc., file).
+
It's not clear if there is any completely reliable way to identify a file as DOS EXE, except in the negative (i.e., it looks like EXE, and is not a valid [[NE]], [[PE]], etc., file).
 +
 
 +
If the relocation table offset is from 28 to 63, or any segment (relocation table or code image) overlaps the four bytes starting at offset 60, it is pretty certainly DOS EXE.
 +
 
 +
Most non-DOS EXE files set the relocation table offset to 64, but it's probably not safe to rely on that.
  
 
== Sample files ==
 
== Sample files ==

Revision as of 19:55, 3 July 2022

File Format
Name MS-DOS EXE
Ontology
Extension(s) .exe
PRONOM x-fmt/409
Kaitai Struct Spec dos_mz.ksy

MS-DOS EXE (or DOS EXE), also known as MZ format, is an executable file format used mainly by MS-DOS. It is the successor of COM. A number of other executable formats are extensions of it; see EXE for those formats.

Contents

Format details

Header structure

DOS EXE files begin with a fixed 28-byte header.

The field names in this table are taken from the IMAGE_DOS_HEADER structure defined in modern Windows SDKs. Byte order is little-endian.

Offset Type Name Description and remarks
0 byte[2] e_magic Signature - ASCII "MZ" or "ZM"
2 uint16 e_cblp If nonzero, the number of bytes in the last page
4 uint16 e_cp Number of 512-byte pages in the file, not counting the "overlay" segment
6 uint16 e_crlc Number of relocations
8 uint16 e_cparhdr Header size, in 16-byte paragraphs
10 uint16 e_minalloc Minimum allocation
12 uint16 e_maxalloc Maximum allocation
14 int16 e_ss Initial SS register
16 uint16 e_sp Initial SP register
18 uint16 e_csum Checksum - Usually unused and set to 0
20 uint16 e_ip Initial IP register
22 int16 e_cs Initial CS register
24 uint16 e_lfarlc Relocation table offset, in bytes from the start of the file
26 uint16 e_ovno Overlay number (or other custom data) - Usually unused

Special file positions

When analyzing DOS EXE files, especially "envelope" formats, it can be helpful to calculate certain special file positions. Positions given here are in bytes, from the start of the file.

  • End of relocation table = e_lfarlc + 4×e_crlc
  • Start of code image segment: 16×e_cparhdr
  • Execution starting point: 16×e_cparhdr + 16×e_cs + e_ip. Note that e_cs may be negative.
  • Start of overlay segment (or end of code image segment): If e_cblp=0, this is 512×e_cp. Otherwise, 512×(e_cp−1) + e_cblp.

Identification

See EXE#Identification for EXE format in general.

It's not clear if there is any completely reliable way to identify a file as DOS EXE, except in the negative (i.e., it looks like EXE, and is not a valid NE, PE, etc., file).

If the relocation table offset is from 28 to 63, or any segment (relocation table or code image) overlaps the four bytes starting at offset 60, it is pretty certainly DOS EXE.

Most non-DOS EXE files set the relocation table offset to 64, but it's probably not safe to rely on that.

Sample files

Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox