null_endian Posted December 7, 2018 Share Posted December 7, 2018 In the PE file format, there is the DOS_HEADER and then right after that, there is a section called doscode which is by default 64 zero bytes. However, sometimes it is filled with an arbitrary number of bytes. Some PE files have a lot of bytes here, others don't. How can I calculate the number of bytes that doscode will be? There doesn't seem to be any field in the DOS header which specifies this. Thanks. Link to comment
h4sh3m Posted December 7, 2018 Share Posted December 7, 2018 (edited) Hi For 16-Bit files this source can help you(delphi/freePascal) : https://0x2a.wtf/files/pesp.zip For PE32/PE64 field "e_lfanew" point to Nt header offset so you can do something like this: gap = e_lfanew- Sizeof(Dos_header) BR, h4sh3m Edited December 7, 2018 by h4sh3m Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now