Thread: Loading a PE file into memory?

  1. #1
    Registered User
    Join Date
    Nov 2008
    Posts
    3

    Loading a PE file into memory?

    Ok so I understand that the role of the "DOS Stub" in a PE file is to: firstly check if the file is being run in DOS mode, if it is then it displays the error "This file cannot be run in DOS mode".
    If not, then it maps each of the files sections then loads it into memory, and then executes it.

    Does anyone know of an open-source DOS Stub / loader that is equivelant to the windows one, or know how I would go about writing one?

  2. #2
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    WINE probably has something.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  3. #3
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by jsithy View Post
    Ok so I understand that the role of the "DOS Stub" in a PE file is to: firstly check if the file is being run in DOS mode, if it is then it displays the error "This file cannot be run in DOS mode".
    If not, then it maps each of the files sections then loads it into memory, and then executes it.

    Does anyone know of an open-source DOS Stub / loader that is equivelant to the windows one, or know how I would go about writing one?
    I'm fairly sure that the DOS stub is there for backwards compatibility only - the OS itself loads the file into memory. The stub only solves the problem where the file is being run in pure DOS and of course can not be run in that mode (because DOS doesn't know that there may be other OS's with different executable formats - it's a typical "backwards compatibility feature").

    There are implementations that provide a DOS extender or some such in the stub, such as DJGPP's EMX that works with OS/2 [at least did some 15 years ago]. Some info on that here: http://www.delorie.com/djgpp/faq/wha...comparison.txt


    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  4. #4
    Registered User
    Join Date
    Oct 2008
    Posts
    1,262
    Analyzing a worm a few days ago, I happened to come across just this subject. And I happened to find this file extremely enlightening:
    http://www.wotsit.org/download.asp?f=pe1&sc=283672831

    True, it could have been written a bit more structured (so it's easier to find out which info is at which address), but that file contains everything you'll need to know.

  5. #5
    Registered User
    Join Date
    Nov 2008
    Posts
    3
    Quote Originally Posted by matsp View Post
    I'm fairly sure that the DOS stub is there for backwards compatibility only - the OS itself loads the file into memory. The stub only solves the problem where the file is being run in pure DOS and of course can not be run in that mode (because DOS doesn't know that there may be other OS's with different executable formats - it's a typical "backwards compatibility feature").

    There are implementations that provide a DOS extender or some such in the stub, such as DJGPP's EMX that works with OS/2 [at least did some 15 years ago]. Some info on that here: http://www.delorie.com/djgpp/faq/wha...comparison.txt


    --
    Mats
    I'll check it out.


    Quote Originally Posted by EVOEx View Post
    Analyzing a worm a few days ago, I happened to come across just this subject. And I happened to find this file extremely enlightening:
    http://www.wotsit.org/download.asp?f=pe1&sc=283672831

    True, it could have been written a bit more structured (so it's easier to find out which info is at which address), but that file contains everything you'll need to know.
    Download link doesn't work.


    But, my ultimate goal is to parse a valid PE file from disk, and execute it in the same memory space as the calling process.

  6. #6
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by jsithy View Post
    But, my ultimate goal is to parse a valid PE file from disk, and execute it in the same memory space as the calling process.
    That sounds pretty dodgy to me. What is the purpose of that?

    And how will you avoid overwriting the code that loads the executable file when loading the new file - since most of the time [and particularly if the intention is to load into the same space as the current process] the address of the executable is fixed, and the file being loaded will by necessity have similar address to the one being overwritten [or you can't load it into the same space].

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. A development process
    By Noir in forum C Programming
    Replies: 37
    Last Post: 07-10-2011, 10:39 PM
  2. Inventory records
    By jsbeckton in forum C Programming
    Replies: 23
    Last Post: 06-28-2007, 04:14 AM
  3. Game Pointer Trouble?
    By Drahcir in forum C Programming
    Replies: 8
    Last Post: 02-04-2006, 02:53 AM
  4. Post...
    By maxorator in forum C++ Programming
    Replies: 12
    Last Post: 10-11-2005, 08:39 AM
  5. Replies: 3
    Last Post: 03-04-2005, 02:46 PM