Detect PE Format Methology

[almn]

Hello,

I am trying to detect whether a file is a PE or not, as I know there are many ways to do that here is how I want to check:
I want it to read the first few characters of the file if they are MZ then my program will consider them PE's ?
Is this a reliable method ?
Actually wat I am looking for is a technique that detects all the PE but may (by accident) classify a file as a PE When its really not.

As far as the Code goes I am fine I just need to know if this is technicly correct ?

Thanks

Al968

[contrex]

This file would be detected as executable by your method but it is not ;-)

MZy Bad Spelling
Egggs
Bakon
Saucissses de Toulouse

More seriously,

All Windows executable files begin with a MS-DOS executable stub, so we first test for a valid MS-DOS executable using information from the MS-DOS program header that is present in every executable file. We then check for markers for a 16 bit or 32 bit Windows executable or for a virtual device driver (VXD). If we establish the file is a Windows executable we look for information that determines whether the file is an application or is a DLL. A review of the MS-DOS, Windows NE (16 bit) and PE (32 bit) executable file formats leads us to note the following:

    * All DOS program files (and therefore Windows executables) begin with a "magic number"; the word value $5A4D ("MZ" in ASCII).

    * We use the DOS header to check that the file length exceeds or is equal to the minimum length of the DOS executable and that the offset of the DOS relocation table lies within the file.

    * Windows executables have a header record whose offset in the file is given by the long word at offset $3C.

    * The Windows header begins with a "magic number" word whose value indicates whether this is a 16bit (NE format) or 32 bit (PE format) executable or a virtual device driver (LE format). The word is $454E ("NE" in ASCII), $4550 ("PE") or $454C ("LE").

    * 32 bit Windows executables have an "image header" immediately following the $4550 magic number. This header structure has a Characteristics field which is a bit mask. If the bit mask contains the flag IMAGE_FILE_DLL then the file is a DLL, otherwise it is a program file.

    * 16 bit Windows programs have a byte sized field at offset $0D from the start of the Windows header which is a bit mask providing information about the file. If this field contains the flag $80 then the file is a DLL, otherwise it is a program.

See here (where I got the above) and much more including a flow chart.

http://www.delphidabbler.com/articles?article=8

and here

http://www.google.co.uk/search?source=ig&hl=en&q=detect+windows+executable&btnG=Google+Search&meta=

[almn]

Ok great information, just an other quick question is the "magic" number that stated PE on the second line of the program ?

Thanks

Al968

[contrex]

is the "magic" number that stated PE on the second line of the program ?

The Windows header's offset in the file is given by the long word at offset $3C. Don't know what you mean by "line" in this context.

[ghostdog74]

here's a little perl snippet you can use to get file header. I only tested on a exe file. you can follow the rest of what contrex has posted to get PE headers...may or may not work though.

Code: [Select]

use warnings;
my $file = "c:/someapplication.exe";
my $success = 0;
my $hex;
if (open(FH, $file)) {
      binmode(FH);
      my $bin;
      sysread(FH,$bin,20);
      close(FH);
      $hex = uc(unpack("H*",$bin));

}
print $hex;