Outils pour utilisateurs

Outils du site


back2root:ibm-pc-ms-dos:hardware:informations:executable-header-format

Executable Header Format

Format of .EXE file header:

Offset Size Description
00h 2 BYTEs .EXE signature, either “MZ” or “ZM” (5A4Dh or 4D5Ah)
02h WORD number of bytes in last 512-byte page of executable
04h WORD total number of 512-byte pages in executable (includes any partial last page)
06h WORD number of relocation entries
08h WORD header size in paragraphs
0Ah WORD minimum paragraphs of memory to allocation in addition to executable's size
0Ch WORD maximum paragraphs to allocate in addition to executable's size
0Eh WORD initial SS relative to start of executable
10h WORD initial SP
12h WORD checksum (one's complement of sum of all words in executable)
14h DWORD initial CS:IP relative to start of executable
18h WORD offset within header of relocation table (40h for New EXE)
1Ah WORD overlay number (normally 0000h = main program)
—new executable—
1Ch 4 BYTEs ???
20h WORD behavior bits
22h 26 BYTEs reserved for additional behavior info
3Ch DWORD offset of new executable header within disk file
—Borland TLINK—
1Ch 2 BYTEs ??? (apparently always 01h 00h)
1Eh BYTE signature FBh
1Fh BYTE TLINK version (major in high nybble, minor in low nybble)
20h 2 BYTEs ??? (v2.0 apparently always 72h 6Ah, v3.0+ seems always 6Ah 72h)
—ARJ self-extracting archive—
1Ch 4 BYTEs signature “RJSX”
—LZEXE 0.91 compressed executable—
1Ch 4 BYTEs signature “LZ91”
—PKLITE compressed executable—
1Ch 2 BYTEs ???
1Eh 6 BYTEs signature “PKLITE” (followed by copyright message)
—LHarc 1.x self-extracting archive—
1Ch 4 BYTEs unused???
20h 3 BYTEs jump to start of extraction code
23h 2 BYTEs ???
25h 12 BYTEs signature “LHarc's SFX ”
—LHA 2.x self-extracting archive—
1Ch 8 BYTEs ???
24h 10 BYTEs signature “LHA's SFX ”
—other linkers—
1Ch var optional information
:
N N DWORDs relocation items

Format of new executable header:

Offset Size Description
00h 2 BYTEs “NE” (4Eh 45h) signature
02h 2 BYTEs linker version (major, then minor)
04h WORD offset from start of this header to entry table (see below)
06h WORD length of entry table in bytes
08h DWORD file load CRC (0 in Borland's TPW)
0Ch BYTE program flags
bits 0-1 DGROUP type
* 0 = none
* 1 = single shared
* 2 = multiple (unshared)
* 3 = (null)
* bit 2: global initialization
* bit 3: protected mode only
* bit 4: 8086 instructions
* bit 5: 80286 instructions
* bit 6: 80386 instructions
* bit 7: 80×87 instructions
0Dh BYTE application flags
* bits 0-2: application type
* 001 full screen (not aware of Windows/P.M. API)
* 010 compatible with Windows/P.M. API
* 011 uses Windows/P.M. API
* bit 3: is a Family Application (OS/2)
* bit 5: 0=executable, 1=errors in image
* bit 6: non-conforming program (valid stack is not maintained)
* bit 7: DLL or driver rather than application
* (SS:SP info invalid, CS:IP points at FAR init routine
* called with AX=module handle which returns AX=0000h
* on failure, AX nonzero on successful initialization)
0Eh WORD auto data segment index
10h WORD initial local heap size
12h WORD initial stack size (added to data seg, 0000h if SS != DS)
14h DWORD program entry point (CS:IP), “CS” is index into segment table
18h DWORD initial stack pointer (SS:SP), “SS” is segment index
if SS=automatic data segment and SP=0000h, the stack pointer is set to the top of the automatic data segment, just below the local heap
1Ch WORD segment count
1Eh WORD module reference count
20h WORD length of nonresident names table in bytes
22h WORD offset from start of this header to segment table (see below)
24h WORD offset from start of this header to resource table
26h WORD offset from start of this header to resident names table
28h WORD offset from start of this header to module reference table
2Ah WORD offset from start of this header to imported names table
(array of counted strings, terminated with a string of length 00h)
2Ch DWORD offset from start of file to nonresident names table
30h WORD count of moveable entry point listed in entry table
32h WORD file alignment size shift count
0 is equivalent to 9 (default 512-byte pages)
34h WORD number of resource table entries
36h BYTE target operating system
* 00h unknown
* 01h OS/2
* 02h Windows
* 03h European MS-DOS 4.x
* 04h Windows 386
* 05h BOSS (Borland Operating System Services)
37h BYTE other EXE flags
* bit 0: supports long filenames
* bit 1: 2.X protected mode
* bit 2: 2.X proportional font
* bit 3: gangload area
38h WORD offset to return thunks or start of gangload area
3Ah WORD offset to segment reference thunks or length of gangload area
3Ch WORD minimum code swap area size
3Eh 2 BYTEs expected Windows version (minor version first)

Format of Codeview trailer (at end of executable):

Offset Size Description
00h WORD signature 4E42h ('NB')
02h WORD Microsoft debug info version number
04h DWORD Codeview header offset

Format of new executable segment table record:

Offset Size Description
00h WORD offset in file (shift left by alignment shift to get byte offs)
02h WORD length of image in file (0000h = 64K)
04h WORD attributes
* bit 0: data segment rather than code segment
* bit 1: unused???
* bit 2: real mode
* bit 3: iterated
* bit 4: movable
* bit 5: sharable
* bit 6: preloaded rather than demand-loaded
* bit 7: execute-only (code) or read-only (data)
* bit 8: relocations (directly following code for this segment)
* bit 9: debug info present
* bits 10,11: 80286 DPL bits
* bit 12: discardable
* bits 13-15: discard priority
06h WORD number of bytes to allocate for segment (0000h = 64K)

the first segment table entry is entry number 1

Format of new executable entry table item (list):

Offset Size Description
00h BYTE number of entry points (00h if end of entry table list)
01h BYTE segment number (00h if end of entry table list)
02h 3N BYTEs entry records
Offset Size Description
00h BYTE flags
bit 0: exported
bit 1: single data
bits 2-7: unused???
01h WORD offset within segment

Format of new executable relocation data (immediately follows segment image):

Offset Size Description
00h WORD number of relocation items
02h 8N BYTEs relocation items
Offset Size Description
00h BYTE relocation type
00h LOBYTE
02h BASE
03h PTR
05h OFFS
0Bh PTR48
0Dh OFFS32
01h BYTE flags
bit 2: additive
02h WORD offset within segment
04h WORD target address segment
06h WORD target address offset
Offset Size Description
00h WORD alignment shift count for resource data
02h N RECORDs resources

Format of resource record:

Offset Size Description
00h WORD type ID
0000h if end of resource records
>= 8000h if integer type
else offset from start of resource table to type string
02h WORD number of resources of this type
04h DWORD reserved for runtime use
08h N Resources (see below)

resource type and name strings are stored immediately following the resource table, and are not null-terminated

Format of new executable resource entry:
Offset Size Description
00h WORD offset in alignment units from start of file to contents of the resource data
02h WORD length of resource image in bytes
04h WORD flags
bit 4: moveable
bit 5: shareable
bit 6: preloaded
06h WORD resource ID
>= 8000h if integer resource
else offset from start of resource table to resource string
08h DWORD reserved for runtime use

resource type and name strings are stored immediately following the resource table, and are not null-terminated

strings are counted strings, with a string of length 0 indicating the end of the resource table

Format of new executable module reference table [one bundle of entries]:

Offset Size Description
00h BYTE number of records in this bundle (00h if end of table)
01h BYTE segment indicator
00h unused
FFh movable segment, segment number is in entry else segment number of fixed segment
02h N RECORDs
Format of segment record
Offset Size Description
00h BYTE flags
bit 0: entry is exported
bit 1: entry uses global (shared) data
bits 7-3: number of parameter words
—fixed segment—
01h WORD offset
—moveable segment—
01h 2 BYTEs INT 3F instruction (CDh 3Fh)
03h BYTE segment number
05h WORD offset

table entries are numbered starting from 1

Format of new executable resident/nonresident name table entry:

Offset Size Description
00h BYTE length of string (00h if end of table)
01h N BYTEs ASCII text of string
N+1 WORD ordinal number (index into entry table)

the first string in the resident name table is the module name; the first entry in the nonresident name table is the module description

the strings are case-sensitive; if the executable was linked with /IGNORECASE, all strings are in uppercase

Format of Linear Executable (enhanced mode executable) header:

Offset Size Description
00h 2 BYTEs “LE” (4Ch 45h) signature
02h BYTE byte order (00h = little-endian, nonzero = big-endian)
03h BYTE word order (00h = little-endian, nonzero = big-endian)
04h DWORD executable format level
08h WORD CPU type (see also INT 15/AH=C9h)
01h Intel 80286 or upwardly compatible
02h Intel 80386 or upwardly compatible
03h Intel 80486 or upwardly compatible
04h Intel 80586 or upwardly compatible
20h Intel i860 (N10) or compatible
21h Intel “N11” or compatible
40h MIPS Mark I (R2000, R3000) or compatible
41h MIPS Mark II (R6000) or compatible
42h MIPS Mark III (R4000) or compatible
0Ah WORD target operating system
01h OS/2
02h Windows
03h DOS4.x
04h Windows 386
0Ch DWORD module version
10h DWORD module type
bit 2: initialization (only for DLLs)
* 0 = global
* 1 = per-process
bit 4: no internal fixups in executable image
bit 5: no external fixups in executable image
bits 8,9,10:
* 0 = unknown
* 1 = incompatible with PM windowing
* 2 = compatible with PM windowing
* 3 = uses PM windowing API
bit 13: module not loadable (only for programs)
bit 15: module is DLL rather than program
note bit 1,2,3 : only for programs
14h DWORD number of memory pages
18h Initial CS:EIP
DWORD object number
DWORD offset
20h Initial SS:ESP
DWORD object number
DWORD offset
28h DWORD memory page size
2Ch DWORD bytes on last page
30h DWORD fixup section size
34h DWORD fixup section checksum
38h DWORD loader section size
3Ch DWORD loader section checksum
40h DWORD offset of object table (see below)
44h DWORD object table entries
48h DWORD object page map table offset
4CH DWORD object iterate data map offset
50h DWORD resource table offset
54h DWORD resource table entries
58h DWORD resident names table offset
5Ch DWORD entry table offset
60h DWORD module directives table offset
64h DWORD Module Directives entries
68h DWORD Fixup page table offset
6Ch DWORD Fixup record table offset
70h DWORD imported modules name table offset
74h DWORD imported modules count
78h DWORD imported procedures name table offset
7Ch DWORD per-page checksum table offset
80h DWORD data pages offset
84h DWORD preload page count
88h DWORD non-resident names table offset
8Ch DWORD non-resident names table length
90h DWORD non-resident names checksum
94h DWORD automatic data object
98h DWORD debug information offset
9Ch DWORD debug information length
A0h DWORD preload instance pages number
A4h DWORD demand instance pages number
A8h DWORD extra heap allocation
ACh ??? (at most 24 additional bytes here)

used by EMM386.EXE, QEMM, and Windows 3.0 Enhanced Mode drivers

Format of object table entry:

Offset Size Description
00h DWORD virtual size in bytes
04h DWORD relocation base address
08h DWORD object flags
bit 0: readable
bit 1: writable
bit 2: executable
bit 3: resource
bit 4: discardable
bit 5: shared
bit 6: preloaded
bit 7: invalid
bit 8-9: type
* 00 normal
* 01 zero-filled
* 10 resident
* 11 resident/contiguous
bit 10: “RESIDENT/LONG_LOCKABLE”
bit 11: reserved???
bit 12: “16:16_ALIAS”
bit 13: “BIG” (32-bit???)
bit 14: conforming
bit 15: “OBJECT_I/O_PRIVILEGE_LEVEL”
bits 16-31: reserved
0Ch DWORD page map index
10h DWORD page map entries
10h 4 BYTEs ??? (apparently always zeros)

Format of object page map table entry:

Offset Size Description
00h 4 BYTEs ???

Format of resident names table entry:

Offset Size Description
00h BYTE length of name
01h N BYTEs name
N+1 3 BYTEs ???

Format of linear executable entry table:

Offset Size Description
00h BYTE number of entries in table
01h 10 BYTEs per entry
Offset Size Description
00h BYTE bit flags
bit 1: 32-bit entry
01h WORD object number
03h BYTE bit flags
bit 0: exported
bit 1: ???
04h DWORD offset of entry point
08h 2 BYTEs ???

Format of Borland debugging information header (following load image):

Offset Size Description
00h WORD signature 52FBh
02h WORD version ID
04h DWORD size of name pool in bytes
08h WORD number of names in namem pool
0Ah WORD number of type entries
0Ch WORD number of structure members
0Eh WORD number of symbols
10h WORD number of global symbols
12h WORD number of modules
14h WORD number of locals (optional)
16h WORD number of scopes in table
18h WORD number of line-number entries
1Ah WORD number of include files
1Ch WORD number of segment records
1Eh WORD number of segment/file correlations
20h DWORD size of load image after removing uninitialized data and debug info
24h DWORD debugger hook; pointer into debugged program whose meaning depends on program flags
28h BYTE program flags
bit 0: case-sensitive link
bit 1: pascal overlay program
29h WORD no longer used
2Bh WORD size of data pool in bytes
2Dh BYTE padding
2Eh WORD size of following header extension (currently 00h, 10h, or 20h)
30h WORD number of classes
32h WORD number of parents
34h WORD number of global classes (currently unused)
36h WORD number of overloads (currently unused)
38h WORD number of scope classes
3Ah WORD number of module classes
3Ch WORD number of coverage offsets
3Eh DWORD offset relative to symbol base of name pool
42h WORD number of browser information records
44h WORD number of optimized symbol records
46h WORD debugging flags
48h 8 BYTEs padding

additional information on the Borland debugging info may be found in Borland's Open Architecture Handbook

back2root/ibm-pc-ms-dos/hardware/informations/executable-header-format.txt · Dernière modification : 2023/01/16 17:54 de frater