Why does the runPE not work with a specific type of executables?

Question

I am currently trying to get an executable running in memory. Because it is high likely that someone will ask later: Yes, it will be used for malicious software in order to hide it from AV. It is only for educational purposes, in specific for a school project (will be part of my graduation). However the question concerns something else. I found a really good source at Github: https://github.com/aaaddress1/RunPE-In-Memory, which works perfectly for my uses (I already changed it for my purposes etc), except for the trojan I want to run. I tried it with several, e.g Darkcomet or Darktrack (It needs to be something old what is already well known to demonstrate how you could reuse them). I thought because Darkcomet it coded in Delphi (which outputs a native?), it would work like any other EXE-File (Like the ones provided at Github), but it just does not start. In Darkcomet there is also an option for making the malicious server file noticeable, so it is safe that I did not fail at any port-forwarding stuff.

My first intention then was to open the EXE in a text editor and look if it is even the same architecture. I can find "PE L" in both binaries, so as far as I know it is both 32bit. A thing what seemed strange to me were the two lines

"This program cannot be run in DOS mode." for the compiled runPE loader and

"This program must be run under Win32" for the trojan executable.

Furthermore the two Binaries differ in the first chars: MZ and MZP. After opening up more binaries and testing them, I came to the conclusion that the ones with "This program must be run under Win32" do not work.

As far as i know and also googled, there are DOS and Windows executables. But if there are only these two types, why is there a difference? "must be run under Win32" == "cannot be run in DOS mode." in my opinion.

I also looked up those two terms , but I only get Threads about people who try to run these Windows-PEs in DOSBox or similar things.

So, my actual two quesions are:

-What is the difference between "This program must be run under Win32"(Type1) and "This program cannot be run in DOS mode."(Type2)

-Why does it not work if I want to push a (Type1)program into the Memory with the (Type2)RunPe-InMemory executable which I made from the Github repository.

Answer 1

What is the difference between ... (Type1) and ... (Type2)

Nothing:

A "PE" executable consists of some MS-DOS EXE file followed by a 32- or 64-bit part.

If you start the "PE" executable under MS-DOS (or any compatible operating system), DOS will ignore the 32- or 64-bit part and execute the MS-DOS EXE file at the start of the "PE" executable file.

A few programs are written in a way that the DOS EXE file at the start of the PE file is doing the same as the Windows part, so you can use the same EXE file both under DOS and Windows.

However, in most cases the DOS part only prints some error message saying that the program cannot be started under MS-DOS.

What you see here are two different MS-DOS programs at the start of the PE EXE files; one program prints the error message "This program must be run under Win32", the other one prints "This program cannot be run in DOS mode."

Furthermore the two Binaries differ in the first chars: MZ and MZP

This is also not a difference:

The third byte of MS-DOS files is one of many bytes describing the length of an MS-DOS program. Because you have different MS-DOS programs, they also have different lengths.

In one case the byte has the value 80, which is shown as "P" in a text editor.

In the other case the byte might have the value 10 (as an example), which is not shown as character in a text editor.

Why does the runPE not work with a specific type of executables?

Not having seen the trojan, I cannot answer this.

However, I have seen many trojans which do not use a correct "PE" file format.

(However, in these cases the "errors" were after the "PE L", not in the "MZ"-part.)