Jump to content
Tuts 4 You
Sign in to follow this  
null_endian

PE File Format question

Recommended Posts

null_endian

In the PE file format, there is the DOS_HEADER and then right after that, there is a section called doscode which is by default 64 zero bytes. However, sometimes it is filled with an arbitrary number of bytes. Some PE files have a lot of bytes here, others don't. How can I calculate the number of bytes that doscode will be? There doesn't seem to be any field in the DOS header which specifies this. Thanks.

Share this post


Link to post
Share on other sites
h4sh3m

Hi

For 16-Bit files this source can help you(delphi/freePascal) :

https://0x2a.wtf/files/pesp.zip

For PE32/PE64 field "e_lfanew" point to Nt header offset so you can do something like this:

gap = e_lfanew- Sizeof(Dos_header)

 

BR,

h4sh3m

Edited by h4sh3m (see edit history)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×