Windows Inner working. [Archive] - RCE Messageboard's Regroupment

View Full Version : Windows Inner working.

naides

April 16th, 2007, 16:22

I have a naive question.

When and how windows decide to treat a PE file as a PE file and load it as an executable?
I always assumed that the file extension determined if a file is executable or not.
I realize that once a primary exe module is loaded in memory, it can, using specific API, load other PE executable file, be it an EXE, DLL, BPL, SYS, others.

Question 1: Is the 3 letter extension of loaded "libraries" an arbitrary choice of the programmer or compiler? or is there a reserved list of extensions for PE libraries?

What about the module that contains the initial thread: Does it have to be named *.exe necessarily?
What about *.com files. Are they able to load libraries in 32bit environments?

What about other extensions? Does the windows loader recognize any other besides .exe?

fr33ke

April 16th, 2007, 18:20

Extensions are primarily used to see what action to take when doubleclicking or similar. The default action for a .exe is "%1" %*, and in fact (on my XP at least), this is the same as bat, cmd, com and pif. These extensions are thus usually interchangeable. I used to get mail worms that came as pif attachments for instance.

When loading windows uses some checks to see what it really is. When in doubt, it still uses the extension to make the decision.

If you want to see the extensions and their actions check out Tools -> Folder Options -> File Types in Explorer, or check out HKEY_CLASSES_ROOT with regedit.

Loaded libraries may be called whatever you want, but if you don't give an extension to LoadLibrary it will add .dll.

I am quite sure it is possible to run a PE file from a com file, because in the demoscene some people have used com files that execute win32 exe files to shave of a few bytes. Here's a packer that can do that: http://gem.intro.hu/dropper.htm

Loading 32 bit libraries from com files is not possible I believe, unless you want to cheat and use rundll32.

disavowed

April 17th, 2007, 00:43

Quote:

[Originally Posted by naides;64978]When and how windows decide to treat a PE file as a PE file and load it as an executable?

Depends on how it was attempted to be loaded --

Direct call to CreateProcess(...)
Direct call to LoadLibrary(...)
Direct call to ShellExecute(...)
Double-click in Explorer shell
Execute from command-prompt
etc.

Different checks are done and different assumptions are made depending on how it's loaded.

Quote:

[Originally Posted by naides;64978]Question 1: Is the 3 letter extension of loaded "libraries" an arbitrary choice of the programmer or compiler? or is there a reserved list of extensions for PE libraries?

As the programmer, you can tell the linker to use whatever extension you like. See http://msdn2.microsoft.com/en-us/library/ms792107.aspx for details.