本文共 1528 字,大约阅读时间需要 5 分钟。
DOS-stub and Signature
----------------------The concept of a DOS-stub is well-known from the 16-bit-windows-
executables (which were in the "NE" format). The stub is used forOS/2-executables, self-extracting archives and other applications, too.For PE-files, it is a MS-DOS 2.0 compatible executable that almostalways consists of about 100 bytes that output an error message such as"this program needs windows NT".You recognize a DOS-stub by validating the DOS-header, being astruct IMAGE_DOS_HEADER. The first 2 bytes should be the sequence "MZ"(there is a #define IMAGE_DOS_SIGNATURE for this WORD).You distinguish a PE binary from other stubbed binaries by the trailingsignature, which you find at the offset given by the header member'e_lfanew' (which is 32 bits long beginning at byte offset 60). For OS/2and windows binaries, the signature is a 16-bit-word; for PE files, itis a 32-bit-longword aligned at a 8-byte-boundary and having the valueIMAGE_NT_SIGNATURE #defined to be 0x00004550.
DOS-stub and Signature
--------------------------
在16位的windows里,众所周知DOS-stub的意思就是可执行文件,叫做NE格式。
这个stub也被用在OS/2的可执行文件里作为自解压文档和其他应用程序。
而在PE文件里,它是为了兼容ms-dos2.0的可执行文件,大约包括100个byte,报错的时候输出"this program needs windows NT".
可以通过验证DOS-header来识别一个DOS-stub,有一个IMAGE_DOS_HEADER的结构体,前两个byte应该是"MZ",
(there is a #define IMAGE_DOS_SIGNATURE for this WORD).可以通过末尾的signature(在header的成员变量e_lfanew,偏移量在60byte,长度为32bit,)来从其他的stub里区别一个PE格式.在OS/2或windows二进制文件,这个signature是16位的;如果是PE文件,它是32位的(以8字节对齐),值是IMAGE_NT_SIGNATURE,define成0x00004550
转载地址:http://salgb.baihongyu.com/