jimstar
asked on
PE header - Reserved Words at IMAGE_DOS_HEADER
In working on some related code, I noticed that kernel32.dll wasn't identical between various processes executing on my system. Naturally, I was curious why - perhaps some spyware that patched kernel32.dll in some processes but not others? I wrote a quick program to compare the memory of kernel32.dll between all processes on my system and found that a few (5 to be exact) had modifications in the PE header. Doesn't appear to be an important difference, but I am curious why five instances of my kernel32.dll are different than the rest - very odd.
In most of my processes, the IMAGE_DOS_HEADER->e_res =
44 65 74 6F 75 72 73 21 00 00 00 00 00 00 00 .... [zeros] ...
However, in the five 'modified' versions, IMAGE_DOS_HEADER->e_res =
00 00 00 00 00 00 00 ..... [zeros] ...
Does anyone happen to know what the 'reserved words' are used for in the IMAGE_DOS_HEADER, and why they would be zeroed in five cases?
======================
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
In most of my processes, the IMAGE_DOS_HEADER->e_res =
44 65 74 6F 75 72 73 21 00 00 00 00 00 00 00 .... [zeros] ...
However, in the five 'modified' versions, IMAGE_DOS_HEADER->e_res =
00 00 00 00 00 00 00 ..... [zeros] ...
Does anyone happen to know what the 'reserved words' are used for in the IMAGE_DOS_HEADER, and why they would be zeroed in five cases?
======================
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER