Windows XP/Vista/7/8, 32-bit version, 64-bit compatible
(download source code) (zip)

legend:
EE - executable without restriction
0E - executable with restriction

offsettypecontentscomments
000hdb'M', 'Z';DOS signature
002hdb'P', 'F';these are executable, too, but if Mark can put his signature... ;-)
004hdb'P', 'E', 0, 0;Signature
008hdw014Ch;Machine (x86 for this example)
00Ahdw0000;NumberOfSections (zero sections has always been legal on NT-based platforms)
00Chdd0EEEEEEEEh;TimeDateStamp
010hdd0EEEEEEEEh;PointerToSymbolTable
014hdd0EEEEEEEEh;NumberOfSymbols
018hdw0008;SizeOfOptionalHeader (must be a multiple of 8 for 64-bit, mostly ignored if NumberOfSections is zero, so executable with restrictions)
01Ahdw0002;Characteristics (can be any value if bit 1 (executable) is set and bit 13 (DLL) is clear, so executable with restrictions)
01Chdw010Bh;Magic (executable but unchangable - the 01 can form part of an "add", for example)
01Ehdb0EEh;MajorLinkerVersion
01Fhdb0EEh;MinorLinkerVersion
020hdd0EEEEEEEEh;SizeOfCode
024hdd0EEEEEEEEh;SizeOfInitializedData
028hdd0EEEEEEEEh;SizeOfUninitializedData
02Chdd0000003Ah;AddressOfEntryPoint (executable if chosen carefully, for example a "mov reg, 0")
030hdd0EEEEEEEEh;BaseOfCode
034hdd0EEEEEEEEh;BaseOfData
038hdd00CC0000h;ImageBase
03Chdd00000004;SectionAlignment (also lfanew for DOS header, and values < 1000h disable DEP so we can run directly from the file header)
040hdd00000004;FileAlignment (must == SectionAlignment if < 1000h, but can't be changed because of lfanew position)
044hdw0EEEEh;MajorOperatingSystemVersion
046hdw0EEEEh;MinorOperatingSystemVersion
048hdw0EEEEh;MajorImageVersion
04Ahdw0EEEEh;MinorImageVersion
04Chdw0004;MajorSubsystemVersion (must not be larger than the platform version, a lesser major version allows any minor version
;a major value of 4 is easier to use, since it decodes to "add al, 0")
04Ehdw0EEEEh;MinorSubsystemVersion (must be 0ah or larger if major version is 3)
050hdd0EEEEEEEEh;Win32VersionValue (but apparently non-zero values can break D3D support on some systems)
054hdd000EEEEEEh;SizeOfImage (does not need to be aligned to anything, even the top byte can be used for small values
058hdd0000002Ch;SizeOfHeaders (this is the size in memory, not the size on disk, so can be > filesize, but must be < SizeOfImage
;cannot be < 2ch in Windows 7 because of a bug when checking section names for compatibility purposes
;must be <= AddressOfEntryPoint in Windows 8
;executable if chosen carefully, for example a "mov reg, 0")
05Chdd0EEEEEEEEh;CheckSum
060hdw0002;SubSystem
062hdw0EE0Eh;DllCharacteristics (can be any value if bit 7 (integrity checks) is clear, bit 10 (no SEH) is clear if you want to use SEH, and bit 12 (appcontainer) is clear in Windows 8)
064hdd0EEEEEEEh;SizeOfStackReserve (top byte can be used for small values)
068hdd0EEEEEEEh;SizeOfStackCommit (top byte can be used for small values)
06Chdd0EEEEEEEh;SizeOfHeapReserve (top byte can be used for small values)
070hdd0EEEEEEEh;SizeOfHeapCommit (top byte can be used for small values)
074hdd0EEEEEEEEh;LoaderFlags
078hdd00000000;NumberOfRvaAndSizes
07Chdq6 dup (0EEEEEEEEEEEEEEEEh);DataDirectory RVA and Sizes would be here, if we had any
0AChdd0EEEEEEEEh;Debug.RVA
0B0hdd00000000;Debug.Size (must be < 1ch if NX policy is not set to opt-in (or if undocumented RTL_USER_PROCESS_PARAMETERS.Flags bit 17 is set)
;because of a bug in Windows that assumes that there are always enough data directories to include a Debug directory, and just reads directly from the directory
;if the Size is non-zero, then Windows attemps to interpret the Debug data and might crash)
0B4hdb58h dup (0EEh);padding to reach 10ch, the minimum file size for 64-bit platforms
10Ch;end of header

64-bit version
(download source code) (zip)

legend:
EE - executable without restriction
0E - executable with restriction

offsettypecontentscomments
000hdb'M', 'Z';DOS signature
002hdb'P', 'F';these are executable, too, but if Mark can put his signature... ;-)
004hdb'P', 'E', 0, 0;Signature
008hdw8664h;Machine (x64 for this example)
00Ahdw0000;NumberOfSections (zero sections has always been legal on NT-based platforms)
00Chdd0EEEEEEEEh;TimeDateStamp
010hdd0EEEEEEEEh;PointerToSymbolTable
014hdd0EEEEEEEEh;NumberOfSymbols
018hdw0008;SizeOfOptionalHeader (must be a multiple of 8 for 64-bit, mostly ignored if NumberOfSections is zero, so executable with restrictions)
01Ahdw0002;Characteristics (can be any value if bit 1 (executable) is set and bit 13 (DLL) is clear, so executable with restrictions)
01Chdw020Bh;Magic (executable but unchangable - the 02 can form part of an "add", for example)
01Ehdb0EEh;MajorLinkerVersion
01Fhdb0EEh;MinorLinkerVersion
020hdd0EEEEEEEEh;SizeOfCode
024hdd0EEEEEEEEh;SizeOfInitializedData
028hdd0EEEEEEEEh;SizeOfUninitializedData
02Chdd00000036h;AddressOfEntryPoint (executable if chosen carefully, for example a "mov reg, 0")
030hdd0EEEEEEEEh;BaseOfCode
034hdq0000000000CC0000h;ImageBase
03Chdd00000004;SectionAlignment (also lfanew for DOS header, and values < 1000h disable DEP so we can run directly from the file header)
040hdd00000004;FileAlignment (must == SectionAlignment if < 1000h, but can't be changed because of lfanew position)
044hdw0EEEEh;MajorOperatingSystemVersion
046hdw0EEEEh;MinorOperatingSystemVersion
048hdw0EEEEh;MajorImageVersion
04Ahdw0EEEEh;MinorImageVersion
04Chdw0004;MajorSubsystemVersion (must not be larger than the platform version, a lesser major version allows any minor version)
;a major value of 4 is easier to use, since it decodes to "add al, 0")
04Ehdw0EEEEh;MinorSubsystemVersion (must be 0ah or larger if major version is 3)
050hdd0EEEEEEEEh;Win32VersionValue (but apparently non-zero values can break D3D support on some systems)
054hdd000EEEEEEh;SizeOfImage (does not need to be aligned to anything, even the top byte can be used for small values
058hdd00000000;SizeOfHeaders (this is the size in memory, not the size on disk, so can be > filesize, but must be < SizeOfImage
;must be <= AddressOfEntryPoint in Windows 8
;executable if chosen carefully, for example a "mov reg, 0")
05Chdd0EEEEEEEEh;CheckSum
060hdw0002;SubSystem
062hdw0EE0Eh;DllCharacteristics (can be any value if bit 7 (integrity checks) is clear, bit 10 (no SEH) is clear if you want to use SEH, and bit 12 (appcontainer) is clear in Windows 8)
064hdq000000000EEEEEEEh;SizeOfStackReserve (top byte of low dword can be used for small values, but much harder to use)
06Chdq000000000EEEEEEEh;SizeOfStackCommit (top byte of low dword can be used for small values, but much harder to use)
074hdq000000000EEEEEEEh;SizeOfHeapReserve (top byte of low dword can be used for small values, but much harder to use)
07Chdq000000000EEEEEEEh;SizeOfHeapCommit (top byte of low dword can be used for small values, but much harder to use)
084hdd0EEEEEEEEh;LoaderFlags
088hdd00000000;NumberOfRvaAndSizes
08Chtimes80h db (0EEh);padding to reach 10ch, the minimum file size for 64-bit platforms
;DataDirectory RVA and Sizes would be here, if we had any
10Ch;end of header

Copyright (c) 2012-2013 Peter Ferrie
All rights reserved

This site is hosted by 000webhost.com



Free web hostingWeb hosting