DOS-stub and Signature
----------------------
The concept of a DOS-stub is well-known from the 16-bit-windows-
executables (which were in the "NE" format). The stub is used for
OS/2-executables, self-extracting archives and other applications, too.
For PE-files, it is a MS-DOS 2.0 compatible executable that almost
always consists of about 100 bytes that output an error message such as
"this program needs windows NT".
You recognize a DOS-stub by validating the DOS-header, being a
struct IMAGE_DOS_HEADER. The first 2 bytes should be the sequence "MZ"
(there is a #define IMAGE_DOS_SIGNATURE for this WORD).
You distinguish a PE binary from other stubbed binaries by the trailing
signature, which you find at the offset given by the header member
'e_lfanew' (which is 32 bits long beginning at byte offset 60). For OS/2
and windows binaries, the signature is a 16-bit-word; for PE files, it
is a 32-bit-longword aligned at a 8-byte-boundary and having the value
IMAGE_NT_SIGNATURE #defined to be 0x00004550.
DOS-stub and Signature
--------------------------
在16位的windows里,众所周知DOS-stub的意思就是可执行文件,叫做NE格式。
这个stub也被用在OS/2的可执行文件里作为自解压文档和其他应用程序。
而在PE文件里,它是为了兼容ms-dos2.0的可执行文件,大约包括100个byte,报错的时候输出"this program needs windows NT".
可以通过验证DOS-header来识别一个DOS-stub,有一个IMAGE_DOS_HEADER的结构体,前两个byte应该是"MZ",
(there is a #define IMAGE_DOS_SIGNATURE for this WORD).
可以通过末尾的signature(在header的成员变量e_lfanew,偏移量在60byte,长度为32bit,)来从其他的stub里区别一个PE格式.
在OS/2或windows二进制文件,这个signature是16位的;如果是PE文件,它是32位的(以8字节对齐),值是IMAGE_NT_SIGNATURE,define成0x00004550