Text only | Text with Images

Pelles C forum

Assembly language => Assembly discussions => Topic started by: HellOfMice on December 22, 2024, 08:02:43 PM

Title: Looking at Ms-Dos Header
Post by: HellOfMice on December 22, 2024, 08:02:43 PM
Here is a small program to look at inside the MS-Dos Header
This program is a part of a bigger program
I found interesting so if you are curious as me...
The project has 2 7Zip files because of sqlite3.dll and a background images that very big
The build result I got is in the file "Build.txt"

Title: Re: Looking at Ms-Dos Header
Post by: HellOfMice on December 22, 2024, 08:23:10 PM
After this header you will find the stup program and the Rich header.
The rich Header will learn you which Microsoft tools have been used.
This header is not part of the PE file structure but it can exists on some tools
like Errlook.exe

You can learn more about in https://0xrick.github.io/win-internals/pe1/ (https://0xrick.github.io/win-internals/pe1/)
Title: Re: Looking at Ms-Dos Header
Post by: John Z on December 23, 2024, 12:22:40 AM
Thanks HellOfMice!

I  think this is quite useful.

John Z
Title: Re: Looking at Ms-Dos Header
Post by: HellOfMice on December 23, 2024, 06:18:25 AM
It's a sort of cookie that Microsoft installs. This is still valid today.


Look at this image and the one in the previous post. The image in this comes from a program that you know well
There is no Rich Header
Title: Re: Looking at Ms-Dos Header
Post by: TimoVJL on December 23, 2024, 03:35:03 PM
You can see it this way too  ;)
Title: Re: Looking at Ms-Dos Header
Post by: HellOfMice on December 23, 2024, 03:48:58 PM
Hi Timo,


Good,


I downloaded this program yesterday but when compiling it it said that an include file was missing. :o
Could you resend the whole project


When looking at in depth a file we can have surprise.
What interests me is to know what it means.
Here it is a kind of cookie.
Title: Re: Looking at Ms-Dos Header
Post by: HellOfMice on December 24, 2024, 08:58:42 AM
Here is a program, in C, that decrypt the GuidGen.exe Rich Header and the result.
Code Select
536E6144 00000000 : 21358.24900.0
00000000 00000000 : 0.0.0
00CEFFDD 00000001 : 206.65501.1
00C7A09E 00000001 : 199.41118.1
00DF5146 00000001 : 223.20806.1
00E05146 00000013 : 224.20806.19
00E15146 00000009 : 225.20806.9
00DD5146 00000004 : 221.20806.4
00CBFFDD 0000000B : 203.65501.11
00010000 00000100 : 1.0.256
00E1797D 00000003 : 225.31101.3
00DB520D 00000001 : 219.21005.1
00970000 00000001 : 151.0.1
00DE797D 00000001 : 222.31101.1
3BF3635A 00000000 : 15347.25434.0


Title: Re: Looking at Ms-Dos Header
Post by: HellOfMice on December 24, 2024, 04:57:30 PM
I discovered that when POASM is in Debug mode it replaces the original MS-DOS header with its own one
Into my program I added a stub, written by TimoVJL. Into this file there is only the MS-DOS header, no stub program.
I needed to debug the program and tooke my program as a file to analyze.
What a surprise I did not recognize the header!
Title: Re: Looking at Ms-Dos Header
Post by: Vortex on December 24, 2024, 06:07:45 PM
Hi Philippe,

ıt's easy to build a DOS stub, you need to pass the KNOWEAS option to the 16-bit linker :

Code Select
\masm32\bin\ml /c /coff Sample.asm
\masm32\bin\ml /c Mystub.asm
\masm32\bin\link16 /KNOWEAS Mystub.obj
\masm32\bin\link /SUBSYSTEM:WINDOWS /STUB:Mystub.exe Sample.obj
Text only | Text with Images