null_endian Posted December 7, 2018 Posted December 7, 2018 In the PE file format, there is the DOS_HEADER and then right after that, there is a section called doscode which is by default 64 zero bytes. However, sometimes it is filled with an arbitrary number of bytes. Some PE files have a lot of bytes here, others don't. How can I calculate the number of bytes that doscode will be? There doesn't seem to be any field in the DOS header which specifies this. Thanks.
h4sh3m Posted December 7, 2018 Posted December 7, 2018 (edited) Hi For 16-Bit files this source can help you(delphi/freePascal) : https://0x2a.wtf/files/pesp.zip For PE32/PE64 field "e_lfanew" point to Nt header offset so you can do something like this: gap = e_lfanew- Sizeof(Dos_header) BR, h4sh3m Edited December 7, 2018 by h4sh3m
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now