OSDev.org

Hi,

I was trying to get the section table of osloader.exe, which is supposed to be the second part of ntldr file, so using HxD I cut out the part starting with "MZ" and put it into separate file. However the file didn't seem to be readable by any program capable of printing the section table. The reason very likely is weird DOS header that follows the "MZ" signature. Besides that the file looks ok and I have no problem with writing my own tool to get the table, but I'm really curious what is that DOS header supposed to mean. Right after MZ there is "75 0B 03 40 3C 81 38" and thats it. Right after that follows "PE\0\0" signature and the NT_IMAGE_HEADER. Do you have any idea what is that supposed to be? The NTLDR file is from Windows NT 4.

pyjong wrote:Right after MZ there is "75 0B 03 40 3C 81 38" and thats it. Right after that follows "PE\0\0" signature and the NT_IMAGE_HEADER.

It probably does not have a valid MZ header. The interesting fields are the 'MZ' signature and the "PE offset."

If I checked your post correctly, "PE\0\0" is not 8-byte aligned. It should be.

Yeah thats what I thought too, it doesnt even need to have proper DOS header because it is not supposed to be loaded by loader right, but if it is not needed then why bother filling nonsense values. Anyway, according to article "Peering inside the PE" - http://msdn.microsoft.com/en-us/library/ms809762.aspx there is stated PE signature is DWORD (ctrl - f "DWORD and two substructures "), I also looked at random exe files on my disk and the signature is always 4 bytes long, are you absolutely sure it is supposed to be 8 bytes? Or do I misunderstand 8 byte alignment as "PE" and 6 zeros ?

pyjong wrote:then why bother filling nonsense values

Perhaps those values have some meaning but that is not important. It is a little hack to have this "light stub" header. The MZ header contains the offset of the PE header (offset 0x3C). Now that value is inside the actual PE header. It must be carefully set up so that the PE offset value has a valid meaning also in the PE header.

pyjong wrote:are you absolutely sure it is supposed to be 8 bytes

The signature is 4 byte long. The 8 byte alignment means that the PE offset can be 0x00, 0x08, 0x10, 0x18, etc.

The signature is 4 byte long. The 8 byte alignment means that the PE offset can be 0x00, 0x08, 0x10, 0x18, etc.

Ahh right, of course, my bad.


Well, I can live with the fact that the header is not valid, I just wanted to be sure I'm not missing something. So thank you for discussing it with me, I will sleep a lot better now