portable-executable

Once Windows has loaded an executable in memory and transfert execution to the entry point, do values in registers and stack are meaningful? If so, where can I find more informations about it? Officially, the registers at the entry point of PE file do not have defined values. You're supposed to use APIs, such as GetCommandLine to retrieve the information you need. However, since the kernel function that eventually transfers control to the entry point did not change much from the old days, some PE packers and malware started to rely on its peculiarities. The two more or less reliable registers

As stated in the question title. However, I am using a "trick" where i store extra data after the executable to be used at runtime (see here ). Signing my executable appears to break this 'trick' however, so my question is where is the signature stored in the exe (PE) file? I am using signtool from microsoft to sign my executable. An embedded digital signature is always appended to the end of the executable file, whether or not you have custom data attached to it. The attached data is included in the hash of the signature. The location and size of the signature is stored in the security

I have a large number of EXE files and need to figure out which ones have digital signatures. Does anyone know if there is a way to check without access to WinVerifyTrust (they're all on a Unix server). I can't seem to find any information on where the digital signature actually is inside the EXE. If I could find out where it is I might be able to open the file and fseek to a location to test. I don't need to do "real" verification on the certificate, I just want to see if a digital signature is present (or, more importantly, NOT present) without having to use WinVerifyTrust. As mentioned

Assuming you have a stream of data or a block of bytes you want to carve, how can you determine the size of the executables? There are numerous headers inside the PE executable format, but what header sections do I use to determine (if possible) the total length of the executable? Here is a picture of the file format. If the PE file is well formed, the calculation can be simplified as (pseudo-code): size = IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders foreach section_header in section_headers: size += section_header.SizeOfRawData Where: SizeOfHeaders is a member of IMAGE_OPTIONAL_HEADER

What are the requirements of a PE file (PE/COFF)? What fields should be set, which value, at a bare minimum for enabling it to "run" on Windows (i.e. executing "ret" instruction and then close, without error). The library I am building first is the linker: Now, the problem I have is the PE file (PE/COFF). I don't know what is "required" for a PE file before it can actually execute on my platform. My testing platform is Vista. I get an error message, saying " This is not a valid Win32 executable. " when I execute it by double-clicking, and I get an "Access Denied." when executing it with CLI

I'm trying to find a way to figure out in IDA which exports are data exports and which are real functions export. For example, let's have a look at Microsoft's msftedit.dll's export entries: While CreateTextServices is a real exported function: IID_IRichEditOle is a data export and IDA fails to realize that, interpeting data as code: Do someone know a reliable way to distinguish the two? Help will be much appreciated. Thanks in advance. There is no perfectly reliable way to do this for every export. Each export only specifies an offset within the executable file -- logically, it could be

I have several questions about the PE "subsystem" field, which may overlap to some extent. To avoid spamming this place with each question separately, I thought I'd ask them together and then re-ask separately anything that doesn't get addressed. Hope this is OK... I know that IMAGE_SUBSYSTEM_WINDOWS_CUI makes the OS "pre-attach" the process to a console, either of its parent process or creating a new console if necessary. IMAGE_SUBSYSTEM_WINDOWS_GUI doesn't do that. Are there any other differences between these two in a modern version of Windows? Have there been more in the past? What about

First of all, this is not a duplicate of the very common question of making an EXE from Java classes. I do not need to do that. To solve NetBeans RFE #64612 without manual steps I need a Java (6+) library which can take an existing Windows *.exe file and replace its icon with a substitute in a common format. The executable, which is generic and prebuilt (distributed in binary form), already knows how to load an application-specific config file and then start the JRE with various application JARs etc.; the only problem is that it has a generic icon, and I would like to replace that icon as part