nltdr dos header

Question about which tools to use, bugs, the best way to implement a function, etc should go here. Don't forget to see if your question is answered in the wiki first! When in doubt post here.
Post Reply
pyjong
Posts: 8
Joined: Sun Oct 07, 2012 6:23 am

nltdr dos header

Post by pyjong »

Hi,

I was trying to get the section table of osloader.exe, which is supposed to be the second part of ntldr file, so using HxD I cut out the part starting with "MZ" and put it into separate file. However the file didn't seem to be readable by any program capable of printing the section table. The reason very likely is weird DOS header that follows the "MZ" signature. Besides that the file looks ok and I have no problem with writing my own tool to get the table, but I'm really curious what is that DOS header supposed to mean. Right after MZ there is "75 0B 03 40 3C 81 38" and thats it. Right after that follows "PE\0\0" signature and the NT_IMAGE_HEADER. Do you have any idea what is that supposed to be? The NTLDR file is from Windows NT 4.
Top
Antti
Member
Member
Posts: 923
Joined: Thu Jul 05, 2012 5:12 am
Location: Finland

Re: nltdr dos header

Post by Antti »

pyjong wrote:Right after MZ there is "75 0B 03 40 3C 81 38" and thats it. Right after that follows "PE\0\0" signature and the NT_IMAGE_HEADER.
It probably does not have a valid MZ header. The interesting fields are the 'MZ' signature and the "PE offset."

If I checked your post correctly, "PE\0\0" is not 8-byte aligned. It should be.
Top
pyjong
Posts: 8
Joined: Sun Oct 07, 2012 6:23 am

Re: nltdr dos header

Post by pyjong »

Yeah thats what I thought too, it doesnt even need to have proper DOS header because it is not supposed to be loaded by loader right, but if it is not needed then why bother filling nonsense values. Anyway, according to article "Peering inside the PE" - http://msdn.microsoft.com/en-us/library/ms809762.aspx there is stated PE signature is DWORD (ctrl - f "DWORD and two substructures "), I also looked at random exe files on my disk and the signature is always 4 bytes long, are you absolutely sure it is supposed to be 8 bytes? Or do I misunderstand 8 byte alignment as "PE" and 6 zeros ?
Top
Antti
Member
Member
Posts: 923
Joined: Thu Jul 05, 2012 5:12 am
Location: Finland

Re: nltdr dos header

Post by Antti »

pyjong wrote:then why bother filling nonsense values
Perhaps those values have some meaning but that is not important. It is a little hack to have this "light stub" header. The MZ header contains the offset of the PE header (offset 0x3C). Now that value is inside the actual PE header. It must be carefully set up so that the PE offset value has a valid meaning also in the PE header.
pyjong wrote:are you absolutely sure it is supposed to be 8 bytes
The signature is 4 byte long. The 8 byte alignment means that the PE offset can be 0x00, 0x08, 0x10, 0x18, etc.
Top
pyjong
Posts: 8
Joined: Sun Oct 07, 2012 6:23 am

Re: nltdr dos header

Post by pyjong »

The signature is 4 byte long. The 8 byte alignment means that the PE offset can be 0x00, 0x08, 0x10, 0x18, etc.
Ahh right, of course, my bad.


Well, I can live with the fact that the header is not valid, I just wanted to be sure I'm not missing something. So thank you for discussing it with me, I will sleep a lot better now :)
Top
Post Reply

Return to “OS Development”