Outils pour utilisateurs
back2root:ibm-pc-ms-dos:hardware:informations:executable-header-format
Table des matières
Executable Header Format
Format of .EXE file header:
| Offset | Size | Description |
|---|---|---|
| 00h | 2 BYTEs | .EXE signature, either “MZ” or “ZM” (5A4Dh or 4D5Ah) |
| 02h | WORD | number of bytes in last 512-byte page of executable |
| 04h | WORD | total number of 512-byte pages in executable (includes any partial last page) |
| 06h | WORD | number of relocation entries |
| 08h | WORD | header size in paragraphs |
| 0Ah | WORD | minimum paragraphs of memory to allocation in addition to executable's size |
| 0Ch | WORD | maximum paragraphs to allocate in addition to executable's size |
| 0Eh | WORD | initial SS relative to start of executable |
| 10h | WORD | initial SP |
| 12h | WORD | checksum (one's complement of sum of all words in executable) |
| 14h | DWORD | initial CS:IP relative to start of executable |
| 18h | WORD | offset within header of relocation table (40h for New EXE) |
| 1Ah | WORD | overlay number (normally 0000h = main program) |
| —new executable— | ||
| 1Ch | 4 BYTEs | ??? |
| 20h | WORD | behavior bits |
| 22h | 26 | BYTEs reserved for additional behavior info |
| 3Ch | DWORD | offset of new executable header within disk file |
| —Borland TLINK— | ||
| 1Ch | 2 BYTEs | ??? (apparently always 01h 00h) |
| 1Eh | BYTE | signature FBh |
| 1Fh | BYTE | TLINK version (major in high nybble, minor in low nybble) |
| 20h | 2 BYTEs | ??? (v2.0 apparently always 72h 6Ah, v3.0+ seems always 6Ah 72h) |
| —ARJ self-extracting archive— | ||
| 1Ch | 4 BYTEs | signature “RJSX” |
| —LZEXE 0.91 compressed executable— | ||
| 1Ch | 4 BYTEs | signature “LZ91” |
| —PKLITE compressed executable— | ||
| 1Ch | 2 BYTEs | ??? |
| 1Eh | 6 BYTEs | signature “PKLITE” (followed by copyright message) |
| —LHarc 1.x self-extracting archive— | ||
| 1Ch | 4 BYTEs | unused??? |
| 20h | 3 BYTEs | jump to start of extraction code |
| 23h | 2 BYTEs | ??? |
| 25h | 12 BYTEs | signature “LHarc's SFX ” |
| —LHA 2.x self-extracting archive— | ||
| 1Ch | 8 BYTEs | ??? |
| 24h | 10 BYTEs | signature “LHA's SFX ” |
| —other linkers— | ||
| 1Ch | var | optional information |
| : | ||
| N | N DWORDs | relocation items |
Format of new executable header:
| Offset | Size | Description |
|---|---|---|
| 00h | 2 BYTEs | “NE” (4Eh 45h) signature |
| 02h | 2 BYTEs | linker version (major, then minor) |
| 04h | WORD | offset from start of this header to entry table (see below) |
| 06h | WORD | length of entry table in bytes |
| 08h | DWORD | file load CRC (0 in Borland's TPW) |
| 0Ch | BYTE | program flags bits 0-1 DGROUP type * 0 = none * 1 = single shared * 2 = multiple (unshared) * 3 = (null) * bit 2: global initialization * bit 3: protected mode only * bit 4: 8086 instructions * bit 5: 80286 instructions * bit 6: 80386 instructions * bit 7: 80×87 instructions |
| 0Dh | BYTE | application flags * bits 0-2: application type * 001 full screen (not aware of Windows/P.M. API) * 010 compatible with Windows/P.M. API * 011 uses Windows/P.M. API * bit 3: is a Family Application (OS/2) * bit 5: 0=executable, 1=errors in image * bit 6: non-conforming program (valid stack is not maintained) * bit 7: DLL or driver rather than application * (SS:SP info invalid, CS:IP points at FAR init routine * called with AX=module handle which returns AX=0000h * on failure, AX nonzero on successful initialization) |
| 0Eh | WORD | auto data segment index |
| 10h | WORD | initial local heap size |
| 12h | WORD | initial stack size (added to data seg, 0000h if SS != DS) |
| 14h | DWORD | program entry point (CS:IP), “CS” is index into segment table |
| 18h | DWORD | initial stack pointer (SS:SP), “SS” is segment index if SS=automatic data segment and SP=0000h, the stack pointer is set to the top of the automatic data segment, just below the local heap |
| 1Ch | WORD | segment count |
| 1Eh | WORD | module reference count |
| 20h | WORD | length of nonresident names table in bytes |
| 22h | WORD | offset from start of this header to segment table (see below) |
| 24h | WORD | offset from start of this header to resource table |
| 26h | WORD | offset from start of this header to resident names table |
| 28h | WORD | offset from start of this header to module reference table |
| 2Ah | WORD | offset from start of this header to imported names table (array of counted strings, terminated with a string of length 00h) |
| 2Ch | DWORD | offset from start of file to nonresident names table |
| 30h | WORD | count of moveable entry point listed in entry table |
| 32h | WORD | file alignment size shift count 0 is equivalent to 9 (default 512-byte pages) |
| 34h | WORD | number of resource table entries |
| 36h | BYTE | target operating system * 00h unknown * 01h OS/2 * 02h Windows * 03h European MS-DOS 4.x * 04h Windows 386 * 05h BOSS (Borland Operating System Services) |
| 37h | BYTE | other EXE flags * bit 0: supports long filenames * bit 1: 2.X protected mode * bit 2: 2.X proportional font * bit 3: gangload area |
| 38h | WORD | offset to return thunks or start of gangload area |
| 3Ah | WORD | offset to segment reference thunks or length of gangload area |
| 3Ch | WORD | minimum code swap area size |
| 3Eh | 2 BYTEs | expected Windows version (minor version first) |
Format of Codeview trailer (at end of executable):
| Offset | Size | Description |
|---|---|---|
| 00h | WORD | signature 4E42h ('NB') |
| 02h | WORD | Microsoft debug info version number |
| 04h | DWORD | Codeview header offset |
Format of new executable segment table record:
| Offset | Size | Description |
|---|---|---|
| 00h | WORD | offset in file (shift left by alignment shift to get byte offs) |
| 02h | WORD | length of image in file (0000h = 64K) |
| 04h | WORD | attributes * bit 0: data segment rather than code segment * bit 1: unused??? * bit 2: real mode * bit 3: iterated * bit 4: movable * bit 5: sharable * bit 6: preloaded rather than demand-loaded * bit 7: execute-only (code) or read-only (data) * bit 8: relocations (directly following code for this segment) * bit 9: debug info present * bits 10,11: 80286 DPL bits * bit 12: discardable * bits 13-15: discard priority |
| 06h | WORD | number of bytes to allocate for segment (0000h = 64K) |
the first segment table entry is entry number 1
Format of new executable entry table item (list):
| Offset | Size | Description | ||
|---|---|---|---|---|
| 00h | BYTE | number of entry points (00h if end of entry table list) | ||
| 01h | BYTE | segment number (00h if end of entry table list) | ||
| 02h | 3N BYTEs | entry records | ||
| Offset | Size | Description | ||
| 00h | BYTE | flags bit 0: exported bit 1: single data bits 2-7: unused??? |
||
| 01h | WORD | offset within segment | ||
Format of new executable relocation data (immediately follows segment image):
| Offset | Size | Description | ||
|---|---|---|---|---|
| 00h | WORD | number of relocation items | ||
| 02h | 8N BYTEs | relocation items | ||
| Offset | Size | Description | ||
| 00h | BYTE | relocation type 00h LOBYTE 02h BASE 03h PTR 05h OFFS 0Bh PTR48 0Dh OFFS32 |
||
| 01h | BYTE | flags bit 2: additive |
||
| 02h | WORD | offset within segment | ||
| 04h | WORD | target address segment | ||
| 06h | WORD | target address offset | ||
| Offset | Size | Description |
|---|---|---|
| 00h | WORD | alignment shift count for resource data |
| 02h | N RECORDs | resources |
Format of resource record:
| Offset | Size | Description |
|---|---|---|
| 00h | WORD | type ID |
| 0000h if end of resource records >= 8000h if integer type else offset from start of resource table to type string |
||
| 02h | WORD | number of resources of this type |
| 04h | DWORD | reserved for runtime use |
| 08h | N Resources | (see below) |
resource type and name strings are stored immediately following the resource table, and are not null-terminated
Format of new executable resource entry:
| Offset | Size | Description |
|---|---|---|
| 00h | WORD | offset in alignment units from start of file to contents of the resource data |
| 02h | WORD | length of resource image in bytes |
| 04h | WORD | flags bit 4: moveable bit 5: shareable bit 6: preloaded |
| 06h | WORD | resource ID >= 8000h if integer resource else offset from start of resource table to resource string |
| 08h | DWORD | reserved for runtime use |
resource type and name strings are stored immediately following the resource table, and are not null-terminated
strings are counted strings, with a string of length 0 indicating the end of the resource table
Format of new executable module reference table [one bundle of entries]:
| Offset | Size | Description | |
|---|---|---|---|
| 00h | BYTE | number of records in this bundle (00h if end of table) | |
| 01h | BYTE | segment indicator 00h unused FFh movable segment, segment number is in entry else segment number of fixed segment |
|
| 02h | N RECORDs | ||
| Format of segment record | |||
| Offset | Size | Description | |
| 00h | BYTE | flags bit 0: entry is exported bit 1: entry uses global (shared) data bits 7-3: number of parameter words |
|
| —fixed segment— | |||
| 01h | WORD | offset | |
| —moveable segment— | |||
| 01h | 2 BYTEs | INT 3F instruction (CDh 3Fh) | |
| 03h | BYTE | segment number | |
| 05h | WORD | offset | |
table entries are numbered starting from 1
Format of new executable resident/nonresident name table entry:
| Offset | Size | Description |
|---|---|---|
| 00h | BYTE | length of string (00h if end of table) |
| 01h | N BYTEs | ASCII text of string |
| N+1 | WORD | ordinal number (index into entry table) |
the first string in the resident name table is the module name; the first entry in the nonresident name table is the module description
the strings are case-sensitive; if the executable was linked with /IGNORECASE, all strings are in uppercase
Format of Linear Executable (enhanced mode executable) header:
| Offset | Size | Description |
|---|---|---|
| 00h | 2 BYTEs | “LE” (4Ch 45h) signature |
| 02h | BYTE | byte order (00h = little-endian, nonzero = big-endian) |
| 03h | BYTE | word order (00h = little-endian, nonzero = big-endian) |
| 04h | DWORD | executable format level |
| 08h | WORD | CPU type (see also INT 15/AH=C9h) 01h Intel 80286 or upwardly compatible 02h Intel 80386 or upwardly compatible 03h Intel 80486 or upwardly compatible 04h Intel 80586 or upwardly compatible 20h Intel i860 (N10) or compatible 21h Intel “N11” or compatible 40h MIPS Mark I (R2000, R3000) or compatible 41h MIPS Mark II (R6000) or compatible 42h MIPS Mark III (R4000) or compatible |
| 0Ah | WORD | target operating system 01h OS/2 02h Windows 03h DOS4.x 04h Windows 386 |
| 0Ch | DWORD | module version |
| 10h | DWORD | module type bit 2: initialization (only for DLLs) * 0 = global * 1 = per-process bit 4: no internal fixups in executable image bit 5: no external fixups in executable image bits 8,9,10: * 0 = unknown * 1 = incompatible with PM windowing * 2 = compatible with PM windowing * 3 = uses PM windowing API bit 13: module not loadable (only for programs) bit 15: module is DLL rather than program note bit 1,2,3 : only for programs |
| 14h | DWORD | number of memory pages |
| 18h | Initial CS:EIP | |
| DWORD | object number | |
| DWORD | offset | |
| 20h | Initial SS:ESP | |
| DWORD | object number | |
| DWORD | offset | |
| 28h | DWORD | memory page size |
| 2Ch | DWORD | bytes on last page |
| 30h | DWORD | fixup section size |
| 34h | DWORD | fixup section checksum |
| 38h | DWORD | loader section size |
| 3Ch | DWORD | loader section checksum |
| 40h | DWORD | offset of object table (see below) |
| 44h | DWORD | object table entries |
| 48h | DWORD | object page map table offset |
| 4CH | DWORD | object iterate data map offset |
| 50h | DWORD | resource table offset |
| 54h | DWORD | resource table entries |
| 58h | DWORD | resident names table offset |
| 5Ch | DWORD | entry table offset |
| 60h | DWORD | module directives table offset |
| 64h | DWORD | Module Directives entries |
| 68h | DWORD | Fixup page table offset |
| 6Ch | DWORD | Fixup record table offset |
| 70h | DWORD | imported modules name table offset |
| 74h | DWORD | imported modules count |
| 78h | DWORD | imported procedures name table offset |
| 7Ch | DWORD | per-page checksum table offset |
| 80h | DWORD | data pages offset |
| 84h | DWORD | preload page count |
| 88h | DWORD | non-resident names table offset |
| 8Ch | DWORD | non-resident names table length |
| 90h | DWORD | non-resident names checksum |
| 94h | DWORD | automatic data object |
| 98h | DWORD | debug information offset |
| 9Ch | DWORD | debug information length |
| A0h | DWORD | preload instance pages number |
| A4h | DWORD | demand instance pages number |
| A8h | DWORD | extra heap allocation |
| ACh | ??? | (at most 24 additional bytes here) |
used by EMM386.EXE, QEMM, and Windows 3.0 Enhanced Mode drivers
Format of object table entry:
| Offset | Size | Description |
|---|---|---|
| 00h | DWORD | virtual size in bytes |
| 04h | DWORD | relocation base address |
| 08h | DWORD | object flags bit 0: readable bit 1: writable bit 2: executable bit 3: resource bit 4: discardable bit 5: shared bit 6: preloaded bit 7: invalid bit 8-9: type * 00 normal * 01 zero-filled * 10 resident * 11 resident/contiguous bit 10: “RESIDENT/LONG_LOCKABLE” bit 11: reserved??? bit 12: “16:16_ALIAS” bit 13: “BIG” (32-bit???) bit 14: conforming bit 15: “OBJECT_I/O_PRIVILEGE_LEVEL” bits 16-31: reserved |
| 0Ch | DWORD | page map index |
| 10h | DWORD | page map entries |
| 10h | 4 BYTEs | ??? (apparently always zeros) |
Format of object page map table entry:
| Offset | Size | Description |
|---|---|---|
| 00h | 4 BYTEs | ??? |
Format of resident names table entry:
| Offset | Size | Description |
|---|---|---|
| 00h | BYTE | length of name |
| 01h | N BYTEs | name |
| N+1 | 3 BYTEs | ??? |
Format of linear executable entry table:
| Offset | Size | Description | ||
|---|---|---|---|---|
| 00h | BYTE | number of entries in table | ||
| 01h | 10 BYTEs | per entry | ||
| Offset | Size | Description | ||
| 00h | BYTE | bit flags bit 1: 32-bit entry |
||
| 01h | WORD | object number | ||
| 03h | BYTE | bit flags bit 0: exported bit 1: ??? |
||
| 04h | DWORD | offset of entry point | ||
| 08h | 2 BYTEs | ??? | ||
Format of Borland debugging information header (following load image):
| Offset | Size | Description |
|---|---|---|
| 00h | WORD | signature 52FBh |
| 02h | WORD | version ID |
| 04h | DWORD | size of name pool in bytes |
| 08h | WORD | number of names in namem pool |
| 0Ah | WORD | number of type entries |
| 0Ch | WORD | number of structure members |
| 0Eh | WORD | number of symbols |
| 10h | WORD | number of global symbols |
| 12h | WORD | number of modules |
| 14h | WORD | number of locals (optional) |
| 16h | WORD | number of scopes in table |
| 18h | WORD | number of line-number entries |
| 1Ah | WORD | number of include files |
| 1Ch | WORD | number of segment records |
| 1Eh | WORD | number of segment/file correlations |
| 20h | DWORD | size of load image after removing uninitialized data and debug info |
| 24h | DWORD | debugger hook; pointer into debugged program whose meaning depends on program flags |
| 28h | BYTE | program flags bit 0: case-sensitive link bit 1: pascal overlay program |
| 29h | WORD | no longer used |
| 2Bh | WORD | size of data pool in bytes |
| 2Dh | BYTE | padding |
| 2Eh | WORD | size of following header extension (currently 00h, 10h, or 20h) |
| 30h | WORD | number of classes |
| 32h | WORD | number of parents |
| 34h | WORD | number of global classes (currently unused) |
| 36h | WORD | number of overloads (currently unused) |
| 38h | WORD | number of scope classes |
| 3Ah | WORD | number of module classes |
| 3Ch | WORD | number of coverage offsets |
| 3Eh | DWORD | offset relative to symbol base of name pool |
| 42h | WORD | number of browser information records |
| 44h | WORD | number of optimized symbol records |
| 46h | WORD | debugging flags |
| 48h | 8 BYTEs | padding |
additional information on the Borland debugging info may be found in Borland's Open Architecture Handbook
back2root/ibm-pc-ms-dos/hardware/informations/executable-header-format.txt · Dernière modification : 2023/01/16 17:54 de frater
Outils de la page
Sauf mention contraire, le contenu de ce wiki est placé sous les termes de la licence suivante : CC Attribution-Noncommercial-Share Alike 4.0 International
