Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the MZ signature in a PE file for?

I'm working on a program that will parse a PE object for various pieces of information.

Reading the specifications though, I cannot find out why the MZ bytes are there, as I cannot find this on the list of machine types that these 2 bytes are supposed to represent.

Can anyone clarify?

like image 891
samoz Avatar asked Jun 05 '09 17:06

samoz


People also ask

What is MZ file signature?

qtx,. qts, ocx, or. sys. The file signature for these files is “MZ,” or the hexadecimal characters 4D 5A, found in the first 2 bytes of the file. Humorously, the letters “MZ” are the initials for Mark Zbikowski, one of the principal architects of MS-DOS and the Windows/DOS executable file format.

What is MZ in PE?

The MZ signature is a signature used by the MS-DOS relocatable 16-bit EXE format and its still present in today's PE files for backwards compatibility. The signature is 0x5a4d . It is the first 2 bytes of our PE file.

What does a MZ header indicate?

These story behind these two letters is that these are the initials of Mark Zbikowski the designer of the DOS executable file format. These two letters are basically telling the system that this is an executable file.

What is the file signature of a PE file?

Signature (Image Only) After the MS-DOS stub, at the file offset specified at offset 0x3c, is a 4-byte signature that identifies the file as a PE format image file. This signature is "PE\0\0" (the letters "P" and "E" followed by two null bytes).


2 Answers

The MZ signature is a signature used by the MS-DOS relocatable 16-bit EXE format.

The reason a PE binary contains an MZ header is for backwards compatibility. If the executable is run on a DOS-based system it will run the MZ version (which is nearly always just stub that says you need to run the program on a Win32 system).

Of course this is not as useful nowadays as it was back when the world was transitioning from DOS to whatever would come after it.

Back then there were a few programs that would actually bind together a DOS version and a Win32 version in a single binary.

And as with most things dealing with Windows history, Raymond Chen has some interesting articles about this subject:

  • Why does a corrupted binary sometimes result in "Program too big to fit in memory"?
  • What's the difference between the COM and EXE extensions?
like image 138
Michael Burr Avatar answered Sep 18 '22 17:09

Michael Burr


Mark Zbikowski put his initials into the original MS-DOS exe format. This signature was necessary to distinguish .EXE files from the much simpler .COM format on DOS.

Every PE file also contains a 16-bit DOS program and thus starts with this .EXE header. This DOS program would typically print out "This program requires Microsoft Windows" or similar. I don't know if modern compilers still produce the DOS stub, but the PE standard still says a PE starts with a 16-bit EXE header.

like image 42
Michael Avatar answered Sep 17 '22 17:09

Michael