dELTA
March 1st, 2003, 09:47
I'm experimenting with building my own exe-files and dll-files, and the only bytes in an exe-file that I cannot find any info about is the data that the MASM linker always seems to put between the DOS stub code and the PE-header. I know that this data is not part of the exe-format itself (in files produced by other linkers, e.g. Delphi, this area is zeroed) but it would still be really interesting to know what kind of data MASM stores here?
I have noticed that the data is practically identical between different exe-files produced with MASM (only one byte in it has been observed to change) and it also always seems to include the string "Rich".
MASM outputs different data (and even different size of this data) when producing a dll file and when producing an exe file though.
This is a normal MASM DOS-stub code:
Directly after it comes this data I'm talking about, before the PE-header.
In my MASM exe-files it is the following:
In my MASM dll-files it is the following:
It would be really interesting to know what kind of info that MASM "hides" in this data. Does anyone have any idea whatsoever?
Thanks!
I have noticed that the data is practically identical between different exe-files produced with MASM (only one byte in it has been observed to change) and it also always seems to include the string "Rich".
MASM outputs different data (and even different size of this data) when producing a dll file and when producing an exe file though.
This is a normal MASM DOS-stub code:
Code:
push cs
pop ds
mov dx, 0Eh
mov ah, 9
int 21h ; DOS - PRINT STRING
; DS : DX -> string terminated by "$"
mov ax, 4C01h
int 21h ; DOS - 2+ - QUIT WITH EXIT CODE (EXIT)
000E_string:
"This program cannot be run in DOS mode.", 2Eh, 0Dh, 0Dh, 0Ah, "$"
Directly after it comes this data I'm talking about, before the PE-header.
In my MASM exe-files it is the following:
Code:
00000070 <end of stub string here> 00 00 00 00 00 00 00 .......
00000080 5D 17 1D DB 19 76 73 88 19 76 73 88 19 76 73 88 ]..Û.vs.vs.vs
00000090 19 76 73 88 0D 76 73 88 E5 56 61 88 18 76 73 88 .vs.vsċVa.vs
000000A0 52 69 63 68 19 76 73 88 00 00 00 00 00 00 00 00 Rich.vs........
000000B0 <PE-header begins here>
In my MASM dll-files it is the following:
Code:
00000070 <end of stub string here> 00 00 00 00 00 00 00 .......
00000080 71 D4 F7 DB 35 B5 99 88 35 B5 99 88 35 B5 99 88 qÔ÷Û5µ5µ5µ
00000090 C9 95 8B 88 34 B5 99 88 BB AA 8A 88 34 B5 99 88 É4µğŞ4µ
000000A0 52 69 63 68 35 B5 99 88 00 00 00 00 00 00 00 00 Rich5µ........
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 <PE-header begins here>
It would be really interesting to know what kind of info that MASM "hides" in this data. Does anyone have any idea whatsoever?
Thanks!
I think this one gets the prize, although it does solve a question that has kept dELTA from sleeping since 2003. 
