Menu
I'm working on a program that will parse a PE object for various pieces of information.
Reading the specifications though, I cannot find out why the MZ bytes are there, as I cannot find this on the list of machine types that these 2 bytes are supposed to represent.
Can anyone clarify?
891
qtx,. qts, ocx, or. sys. The file signature for these files is “MZ,” or the hexadecimal characters 4D 5A, found in the first 2 bytes of the file. Humorously, the letters “MZ” are the initials for Mark Zbikowski, one of the principal architects of MS-DOS and the Windows/DOS executable file format.
The MZ signature is a signature used by the MS-DOS relocatable 16-bit EXE format and its still present in today's PE files for backwards compatibility. The signature is 0x5a4d . It is the first 2 bytes of our PE file.
These story behind these two letters is that these are the initials of Mark Zbikowski the designer of the DOS executable file format. These two letters are basically telling the system that this is an executable file.
Signature (Image Only) After the MS-DOS stub, at the file offset specified at offset 0x3c, is a 4-byte signature that identifies the file as a PE format image file. This signature is "PE\0\0" (the letters "P" and "E" followed by two null bytes).
The MZ signature is a signature used by the MS-DOS relocatable 16-bit EXE format.
The reason a PE binary contains an MZ header is for backwards compatibility. If the executable is run on a DOS-based system it will run the MZ version (which is nearly always just stub that says you need to run the program on a Win32 system).
Of course this is not as useful nowadays as it was back when the world was transitioning from DOS to whatever would come after it.
Back then there were a few programs that would actually bind together a DOS version and a Win32 version in a single binary.
And as with most things dealing with Windows history, Raymond Chen has some interesting articles about this subject:
138
Mark Zbikowski put his initials into the original MS-DOS exe format. This signature was necessary to distinguish .EXE files from the much simpler .COM format on DOS.
Every PE file also contains a 16-bit DOS program and thus starts with this .EXE header. This DOS program would typically print out "This program requires Microsoft Windows" or similar. I don't know if modern compilers still produce the DOS stub, but the PE standard still says a PE starts with a 16-bit EXE header.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
