Reputation: 23
Why the type of `e_lfanew` field in struct IMAGE_DOS_HEADER(winnt.h) is LONG?
struct IMAGE_DOS_HEADER from Win11 SDK:
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
Here e_lfanew is LONG type, but I found other version of winnt.h is:
typedef struct _IMAGE_DOS_HEADER {
WORD e_magic; /* 00: MZ Header signature */
WORD e_cblp; /* 02: Bytes on last page of file */
WORD e_cp; /* 04: Pages in file */
WORD e_crlc; /* 06: Relocations */
WORD e_cparhdr; /* 08: Size of header in paragraphs */
WORD e_minalloc; /* 0a: Minimum extra paragraphs needed */
WORD e_maxalloc; /* 0c: Maximum extra paragraphs needed */
WORD e_ss; /* 0e: Initial (relative) SS value */
WORD e_sp; /* 10: Initial SP value */
WORD e_csum; /* 12: Checksum */
WORD e_ip; /* 14: Initial IP value */
WORD e_cs; /* 16: Initial (relative) CS value */
WORD e_lfarlc; /* 18: File address of relocation table */
WORD e_ovno; /* 1a: Overlay number */
WORD e_res[4]; /* 1c: Reserved words */
WORD e_oemid; /* 24: OEM identifier (for e_oeminfo) */
WORD e_oeminfo; /* 26: OEM information; e_oemid specific */
WORD e_res2[10]; /* 28: Reserved words */
DWORD e_lfanew; /* 3c: Offset to extended header */
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
but here e_lfanew is DWORD, I'm not sure whether it's old version of winnt.h from Win9x, if so, what's the reason change to use LONG not keeping DWORD?
I searched a lot in google, but have no any informations. Some article tells e_lfanew is DWORD
e_lfanew: The last member of the DOS MZ Header is e_lfanew which is a DWORD that means it consist of last 4 bytes of the DOS MZ header. It holds the offset to the start of PE Header. This value is check by the PE loader of the windows system which offset to load for PE Header.
but it's LONG in winnt.h actually on his article:
The first 64 bytes of the PE file is known as DOS MZ Header which is define in winnt.h or windows.inc . The member of DOS MZ header structure is shown below.
typedef struct _IMAGE_DOS_HEADER {
...
LONG e_lfanew;
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
Seems that some people thinks e_lfanew is DWORD, what is the reason that this situation occurred?
Upvotes: 1
Views: 101
Answers (0)
Related Questions
- Why does the 260 character path length limit exist in Windows?
- How to prevent auto-closing of console after the execution of batch file
- error RC2247: Symbol name too long (winnt.h)
- Processing ELF relocations - understanding the relocs, symbols, section data, and how they work together
- Convert char array to integer value
- Manually sign a PE file
- The difference between the 'Local System' account and the 'Network Service' account?
- VA (Virtual Address) & RVA (Relative Virtual Address)
- ELF Relocation reverse engineering
- x86 segmentation, DOS, MZ file format, and disassembling