headers


@Formats
:DOS-EXEC parameters
^Format of DOS EXEC function parameter block

% for AL=00h,01h,04h:
%Offset Size Description
00h WORD segment of environment to copy for child process (copy caller's
environment if 0000h)
02h DWORD pointer to command tail to be copied into child's PSP
06h DWORD pointer to first FCB to be copied into child's PSP
0Ah DWORD pointer to second FCB to be copied into child's PSP
0Eh DWORD (AL=01h) will hold subprogram's initial SS:SP on return
12h DWORD (AL=01h) will hold entry point (CS:IP) on return

% for AL=03h:
%Offset Size Description
00h WORD segment at which to load overlay
02h WORD relocation factor to apply to overlay if in .EXE format

:FlashTek
^Format of EXEC parameter block for FlashTek X-32:
%Offset Size Description
00h PWORD 48-bit far pointer to environment string
06h PWORD 48-bit far pointer to command tail string

:EXE file header
^Format of .EXE file header:
%Offset Size Description
00h 2 BYTEs .EXE signature, either "MZ" or "ZM" (5A4Dh or 4D5Ah)
02h WORD number of bytes in last 512-byte page of executable
04h WORD total number of 512-byte pages in executable (includes any
partial last page)
06h WORD number of relocation entries
08h WORD header size in paragraphs
0Ah WORD minimum paragraphs of memory to allocation in addition to
executable's size
0Ch WORD maximum paragraphs to allocate in addition to executable's size
0Eh WORD initial SS relative to start of executable
10h WORD initial SP
12h WORD checksum (one's complement of sum of all words in executable)
14h DWORD initial CS:IP relative to start of executable
18h WORD offset within header of relocation table (40h for New EXE)
1Ah WORD overlay number (normally 0000h = main program)

%---new executable---
1Ch 4 BYTEs ???
20h WORD behavior bits
22h 26 BYTEs reserved for additional behavior info
3Ch DWORD offset of new executable header within disk file

%---Borland TLINK---
1Ch 2 BYTEs ??? (apparently always 01h 00h)
1Eh BYTE signature FBh
1Fh BYTE TLINK version (major in high nybble, minor in low nybble)
20h 2 BYTEs ??? (v2.0 apparently always 72h 6Ah, v3.0+ seems always 6Ah 72h)

%---ARJ self-extracting archive---
1Ch 4 BYTEs signature "RJSX"

%---LZEXE 0.91 compressed executable---
1Ch 4 BYTEs signature "LZ91"

%---PKLITE compressed executable---
1Ch 2 BYTEs ???
1Eh 6 BYTEs signature "PKLITE" (followed by copyright message)

%---LHarc 1.x self-extracting archive---
1Ch 4 BYTEs unused???
20h 3 BYTEs jump to start of extraction code
23h 2 BYTEs ???
25h 12 BYTEs signature "LHarc's SFX "

%---LHA 2.x self-extracting archive---
1Ch 8 BYTEs ???
24h 10 BYTEs signature "LHA's SFX "

%---other linkers---
1Ch var optional information

:Relocations
^ Format of EXE relocation information

N N DWORDs relocation items
Notes: if word at offset 02h is 4, it should be treated as 00h,
since pre-1.10 versions of the MS linker set it that way
if both minimum and maximum allocation (offset 0Ah/0Ch) are zero,
the program is loaded as high in memory as possible
the maximum allocation is set to FFFFh by default

:NewEXE header
^Format of new executable header:
%Offset Size Description
00h 2 BYTEs "NE" (4Eh 45h) signature
02h 2 BYTEs linker version (major, then minor)
04h WORD offset from start of this header to entry table (see below)
06h WORD length of entry table in bytes
08h DWORD file load CRC (0 in Borland's TPW)
0Ch BYTE program flags
bits 0-1 DGROUP type
0 = none
1 = single shared
2 = multiple (unshared)
3 = (null)
bit 2: global initialization
bit 3: protected mode only
bit 4: 8086 instructions
bit 5: 80286 instructions
bit 6: 80386 instructions
bit 7: 80x87 instructions
0Dh BYTE application flags
bits 0-2: application type
001 full screen (not aware of Windows/P.M. API)
010 compatible with Windows/P.M. API
011 uses Windows/P.M. API
bit 3: is a Family Application (OS/2)
bit 5: 0=executable, 1=errors in image
bit 6: non-conforming program (valid stack is not maintained)
bit 7: DLL or driver rather than application
(SS:SP info invalid, CS:IP points at FAR init routine
called with AX=module handle which returns AX=0000h
on failure, AX nonzero on successful initialization)
0Eh WORD auto data segment index
10h WORD initial local heap size
12h WORD initial stack size (added to data seg, 0000h if SS != DS)
14h DWORD program entry point (CS:IP), "CS" is index into segment table
18h DWORD initial stack pointer (SS:SP), "SS" is segment index
if SS=automatic data segment and SP=0000h, the stack pointer is
set to the top of the automatic data segment, just below the
local heap
1Ch WORD segment count
1Eh WORD module reference count
20h WORD length of nonresident names table in bytes
22h WORD offset from start of this header to segment table (see below)
24h WORD offset from start of this header to resource table
26h WORD offset from start of this header to resident names table
28h WORD offset from start of this header to module reference table
2Ah WORD offset from start of this header to imported names table
(array of counted strings, terminated with a string of
length 00h)
2Ch DWORD offset from start of file to ~nonresident names table~
30h WORD count of moveable entry point listed in entry table
32h WORD file alignment size shift count
0 is equivalent to 9 (default 512-byte pages)
34h WORD number of resource table entries
36h BYTE target operating system
00h unknown
01h OS/2
02h Windows
03h European MSDOS 4.x
04h Windows 386
05h BOSS (Borland Operating System Services)
37h BYTE other EXE flags
bit 0: supports long filenames
bit 1: 2.X protected mode
bit 2: 2.X proportional font
bit 3: gangload area
38h WORD offset to return thunks or start of gangload area
3Ah WORD offset to segment reference thunks or length of gangload area
3Ch WORD minimum code swap area size
3Eh 2 BYTEs expected Windows version (minor version first)

:CodeView information
^Format of Codeview trailer (at end of executable):
%Offset Size Description
00h WORD signature 4E42h ('NB')
02h WORD Microsoft debug info version number
04h DWORD Codeview header offset

:NewEXE segment table
^Format of new executable segment table record:
00h WORD offset in file (shift left by alignment shift to get byte offs)
02h WORD length of image in file (0000h = 64K)
04h WORD attributes
bit 0: data segment rather than code segment
bit 1: unused???
bit 2: real mode
bit 3: iterated
bit 4: movable
bit 5: sharable
bit 6: preloaded rather than demand-loaded
bit 7: execute-only (code) or read-only (data)
bit 8: relocations (directly following code for this segment)
bit 9: debug info present
bits 10,11: 80286 DPL bits
bit 12: discardable
bits 13-15: discard priority
06h WORD number of bytes to allocate for segment (0000h = 64K)
Note: the first segment table entry is entry number 1

:New EXE entry table
%Format of new executable entry table item (list):
%Offset Size Description
00h BYTE number of entry points (00h if end of entry table list)
01h BYTE segment number (00h if end of entry table list)
02h 3N BYTEs entry records
Offset Size Description
00h BYTE flags
bit 0: exported
bit 1: single data
bits 2-7: unused???
01h WORD offset within segment

:NewEXE reloc data
%Format of new executable relocation data (immediately follows segment image):
%Offset Size Description
00h WORD number of relocation items
02h 8N BYTEs relocation items
Offset Size Description
00h BYTE relocation type
00h LOBYTE
02h BASE
03h PTR
05h OFFS
0Bh PTR48
0Dh OFFS32
01h BYTE flags
bit 2: additive
02h WORD offset within segment
04h WORD target address segment
06h WORD target address offset

:NewEXE resource data
%Format of new executable resource data:
%Offset Size Description
00h WORD alignment shift count for resource data
02h N RECORDs resources
Format of resource record:
Offset Size Description
00h WORD type ID
0000h if end of resource records
>= 8000h if integer type
else offset from start of resource table to type string
02h WORD number of resources of this type
04h DWORD reserved for runtime use
08h N Resources (see below)
Note: resource type and name strings are stored immediately following the
resource table, and are not null-terminated

:NewEXE resource entry
%Format of new executable resource entry:
%Offset Size Description
00h WORD offset in alignment units from start of file to contents of
the resource data
02h WORD length of resource image in bytes
04h WORD flags
bit 4: moveable
bit 5: shareable
bit 6: preloaded
06h WORD resource ID
>= 8000h if integer resource
else offset from start of resource table to resource string
08h DWORD reserved for runtime use
Notes: resource type and name strings are stored immediately following the
resource table, and are not null-terminated
strings are counted strings, with a string of length 0 indicating the
end of the resource table

:NewEXE reference table
%Format of new executable module reference table [one bundle of entries]:
%Offset Size Description
00h BYTE number of records in this bundle (00h if end of table)
01h BYTE segment indicator
00h unused
FFh movable segment, segment number is in entry
else segment number of fixed segment
02h N RECORDs
Format of segment record
Offset Size Description
00h BYTE flags
bit 0: entry is exported
bit 1: entry uses global (shared) data
bits 7-3: number of parameter words
---fixed segment---
01h WORD offset
---moveable segment---
01h 2 BYTEs INT 3F instruction (CDh 3Fh)
03h BYTE segment number
05h WORD offset
Note: table entries are numbered starting from 1

:NewEXE name table:nonresident names table
%Format of new executable resident/nonresident name table entry:
%Offset Size Description
00h BYTE length of string (00h if end of table)
01h N BYTEs ASCII text of string
N+1 WORD ordinal number (index into entry table)

Notes: the first string in the resident name table is the module name; the
first entry in the nonresident name table is the module description
the strings are case-sensitive; if the executable was linked with
/IGNORECASE, all strings are in uppercase

:Linear Executable header
^Format of Linear Executable (enhanced mode executable) header:

%Offset Size Description
00h 2 BYTEs "LE" (4Ch 45h) signature
02h BYTE byte order (00h = little-endian, nonzero = big-endian)
03h BYTE word order (00h = little-endian, nonzero = big-endian)
04h DWORD executable format level
08h WORD CPU type (see also INT 15/AH=C9h)
01h Intel 80286 or upwardly compatible
02h Intel 80386 or upwardly compatible
03h Intel 80486 or upwardly compatible
04h Intel 80586 or upwardly compatible
20h Intel i860 (N10) or compatible
21h Intel "N11" or compatible
40h MIPS Mark I (R2000, R3000) or compatible
41h MIPS Mark II (R6000) or compatible
42h MIPS Mark III (R4000) or compatible
0Ah WORD target operating system
01h OS/2
02h Windows
03h DOS4.x
04h Windows 386
0Ch DWORD module version
10h DWORD module type
bit 2: initialization (only for DLLs)
0 = global
1 = per-process
bit 4: no internal fixups in executable image
bit 5: no external fixups in executable image
bits 8,9,10:
0 = unknown
1 = incompatible with PM windowing \
2 = compatible with PM windowing > (only for
3 = uses PM windowing API / programs)
bit 13: module not loadable (only for programs)
bit 15: module is DLL rather than program
14h DWORD number of memory pages
18h Initial CS:EIP
DWORD object number
DWORD offset
20h Initial SS:ESP
DWORD object number
DWORD offset
28h DWORD memory page size
2Ch DWORD bytes on last page
30h DWORD fixup section size
34h DWORD fixup section checksum
38h DWORD loader section size
3Ch DWORD loader section checksum
40h DWORD offset of ~object table~ (see below)
44h DWORD object table entries
48h DWORD ~object page map table~ offset
4CH DWORD object iterate data map offset
50h DWORD resource table offset
54h DWORD resource table entries
58h DWORD resident names table offset
5Ch DWORD entry table offset
60h DWORD module directives table offset
64h DWORD Module Directives entries
68h DWORD Fixup page table offset
6Ch DWORD Fixup record table offset
70h DWORD imported modules name table offset
74h DWORD imported modules count
78h DWORD imported procedures name table offset
7Ch DWORD per-page checksum table offset
80h DWORD data pages offset
84h DWORD preload page count
88h DWORD non-resident names table offset
8Ch DWORD non-resident names table length
90h DWORD non-resident names checksum
94h DWORD automatic data object
98h DWORD debug information offset
9Ch DWORD debug information length
A0h DWORD preload instance pages number
A4h DWORD demand instance pages number
A8h DWORD extra heap allocation
ACh ??? (at most 24 additional bytes here)

% Note:
used by EMM386.EXE, QEMM, and Windows 3.0 Enhanced Mode drivers

:LE object table
%Format of object table entry:
%Offset Size Description
00h DWORD virtual size in bytes
04h DWORD relocation base address
08h DWORD object flags
bit 0: readable
bit 1: writable
bit 2: executable
bit 3: resource
bit 4: discardable
bit 5: shared
bit 6: preloaded
bit 7: invalid
bit 8-9: type
00 normal
01 zero-filled
10 resident
11 resident/contiguous
bit 10: "RESIDENT/LONG_LOCKABLE"
bit 11: reserved???
bit 12: "16:16_ALIAS"
bit 13: "BIG" (32-bit???)
bit 14: conforming
bit 15: "OBJECT_I/O_PRIVILEGE_LEVEL"
bits 16-31: reserved
0Ch DWORD page map index
10h DWORD page map entries
10h 4 BYTEs ??? (apparently always zeros)


:object page map table
%Format of object page map table entry:
%Offset Size Description
00h 4 BYTEs ???

%Format of resident names table entry:
%Offset Size Description
00h BYTE length of name
01h N BYTEs name
N+1 3 BYTEs ???

:Linear executable entry table
%Format of linear executable entry table:
%Offset Size Description
00h BYTE number of entries in table
01h 10 BYTEs per entry
Offset Size Description
00h BYTE bit flags
bit 1: 32-bit entry
01h WORD object number
03h BYTE bit flags
bit 0: exported
bit 1: ???
04h DWORD offset of entry point
08h 2 BYTEs ???

:Borland debug info
%Format of Borland debugging information header (following load image):

%Offset Size Description
00h WORD signature 52FBh
02h WORD version ID
04h DWORD size of name pool in bytes
08h WORD number of names in namem pool
0Ah WORD number of type entries
0Ch WORD number of structure members
0Eh WORD number of symbols
10h WORD number of global symbols
12h WORD number of modules
14h WORD number of locals (optional)
16h WORD number of scopes in table
18h WORD number of line-number entries
1Ah WORD number of include files
1Ch WORD number of segment records
1Eh WORD number of segment/file correlations
20h DWORD size of load image after removing uninitialized data and debug
info
24h DWORD debugger hook; pointer into debugged program whose meaning
depends on program flags
28h BYTE program flags
bit 0: case-sensitive link
bit 1: pascal overlay program
29h WORD no longer used
2Bh WORD size of data pool in bytes
2Dh BYTE padding
2Eh WORD size of following header extension (currently 00h, 10h, or 20h)
30h WORD number of classes
32h WORD number of parents
34h WORD number of global classes (currently unused)
36h WORD number of overloads (currently unused)
38h WORD number of scope classes
3Ah WORD number of module classes
3Ch WORD number of coverage offsets
3Eh DWORD offset relative to symbol base of name pool
42h WORD number of browser information records
44h WORD number of optimized symbol records
46h WORD debugging flags
48h 8 BYTEs padding

%Note:
additional information on the Borland debugging info
may be found in Borland's Open Architecture Handbook



Wyszukiwarka

Podobne podstrony:
header
HEADERS
header
header7
users auctions header closed php3
UDP ICMP Headers
header

więcej podobnych podstron