PE Header Requirements

孤者浪人 提交于 2019-12-04 07:24:12

You could try a book like .NET 2.0 IL Assembler. This book has a whole chapter devoted to what a PE format executable looks like (and what a .Net PE looks like).

You could also try loading your PE files with a PE File Reader and examining the results. If the PE reader struggles with your PE, then you have a pointer to what is failing.

Here is a PE File Reading DLL I wrote (with source). There is also a GUI (with source) that uses it.

The source is completely open source (not encumbered by the GPL) so you can do what you want with it (except impose a GPL on it, which would prevent it from being completely open), including take your version closed.

This is a complete pain to copy paste into a hex editor, so unfortunately I cannot say anything too intelligent right off the bat.

Things to notice in a PE file: Make sure your DOS header is valid. Make sure the IMAGE_OPTIONAL_HEADER is properly formatted, because despite it's name, Windows does not really like it to not be done properly.

For further information, above and beyond the MS format, lookup pe.txt, one of the best homebrew guides to the PE format I know.

If you could post just the bytes, I could try putting it in my own PE parsers and see if I can help more.

This article about creating tiny PE executables might be of interest: in particular, it mentions that the Win2k loader needs KERNEL32.DLL to be imported, so that might be worth investigating.

What you are attempting to do is dependent upon the version of Windows you are using. For example, the way PE files were read on Windows 2000 are not the same way that Windows 7 reads them. I'm an OSX user, but on the Windows 7 I have, I am unable to manipulate PE files in ways that would work on Windows 2000 and earlier. I haven't tested XP or Vista (or others between 2000 and Win7) to see when Windows started reading PE differently. On Windows 7, every single bit of memory in the MS-DOS header and stub is ignored. The only 2 pieces that matter are the "magic number" (a WORD that is equal to "MZ") and the PE Offset, which is a DWORD that defines the place in memory for the PE header begins. I'm not sure if Windows truly ignores all other values in the MS-DOS header and stub 100% of the time, but excluding the two I just mentioned, if all other values are set to 0, a valid executable program will function properly.

In Windows 2000 and earlier, I don't know if what I mentioned above was true, but you were at that time allowed to modify the length of the MS-DOS stub (or remove it perhaps), provided that the PE Offset value was still pointing to the correct place in memory to find the PE header. On Windows 7, if you modify the length of the MS-DOS stub at all, even when PE Offset points to the correct, modified location, Windows will not run the exe and claims it is not a valid Win32 application.

4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

This is the least the MS-DOS portion of a PE file can have on Windows 7 while still having a valid, functioning executable. That bit cannot be shortened.

Hope this clears some things up.

The Microsoft PE/COFF spec is the only spec I know of.
