Menu
In the IMAGE_DOS_HEADER for the PE (Windows executable) format there is a field known as e_lfanew, it serves a very important role in that it points to the actual PE header data.
My question is, what does "e_lfanew" actually stand for? what does it mean? It's so cryptic.
EDIT: I'm NOT asking what it does, i know what it does, i want to know what the letters in e_lfanew actually stand for, why was it given that name?
663
The final field, e_lfanew, is a 4-byte offset into the file where the PE file header is located. It is necessary to use this offset to locate the PE header in the file. For PE files in Windows NT, the PE file header occurs soon after the MS-DOS header with only the real-mode stub program between them.
Overview. The DOS header (also called the MS-DOS header) is a 64-byte-long structure that exists at the start of the PE file. it's not important for the functionality of PE files on modern Windows systems, however it's there because of backward compatibility reasons.
The PE file header consists of a Microsoft MS-DOS stub, the PE signature, the COFF file header, and an optional header. A COFF object file header consists of a COFF file header and an optional header. In both cases, the file headers are followed immediately by section headers.
The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code.
My interpretation would be that it's the long file address for the New Executable header.
Mainly based on the comment in this P/Invoke article about IMAGE_DOS_HEADER:
public Int32 e_lfanew; // File address of new exe header
"Long" because it's from the 16-bit era and the variable size is 32 bits.
173
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
