What field of PE Header tells that whether a valid PE file or not?

glitteringsound

Hello, I need to check that whether a given binary is a valid PE file (Perhaps might some one can rename java file/class file or .js/html files to .exe or .DLL ). In this case i suspect that e_magic field of FileHeader structure would tell this.. or any other field will let the user know about the validity of PE file? Regards Usman

Code o mat

Am not sure if this is what you are looking for or not but here[^] they say:

Old MS-DOS .exe files and the newer Microsoft Windows PE (Portable Executable) .exe files start with the ASCII string "MZ" (4D 5A), the initials of the designer of the file format, Mark Zbikowski. The definition allows "ZM" (5A 4D) as well, but this is quite uncommon.

> The problem with computers is that they do what you tell them to do and not what you want them to do. < > "It doesn't work, fix it" does not qualify as a bug report. < > Amazing what new features none of the programmers working on the project ever heard of you can learn about when reading what the marketing guys wrote about it. <

Luc Pattyn

The PEF specification is a large set of rules that must be obeyed. Obeying some of them is insufficient to be a valid EXE file. So you could check a few of those rules to rule out the obvious violators, you would have to check everything to be absolutely sure it is a real EXE though. If all you want to do is discard some obvious non-EXE files, look at the first two bytes, and a couple of the header bytes such as the e_magic field. :)

Luc Pattyn [Forum Guidelines] [Why QA sucks] [My Articles] Nil Volentibus Arduum

Please use <PRE> tags for code snippets, they preserve indentation, and improve readability.