Geoff Chappell - Software Analyst
DUMPBIN recognises as an executable any file whose size is at least 0x40 and whose first two bytes are MZ. This is taken to establish that the file begins with a structure that Microsoft defines symbolically (in the WINNT.H header from the Platform SDK) as an IMAGE_DOS_HEADER.
A file that meets these requirements but is not then recognisable as a Windows executable is said by DUMPBIN to be an “MS-DOS executable”. Presenting DUMPBIN with such a file produces a warning (LNK4094), with a direction to use a program named EXEHDR instead. The file, being identified but unsupported, is thereafter ignored.
In a Windows executable, the e_lfanew member of the DOS header will give a file offset to one or another sort of new header. However, in a DOS executable, this member may simply be part of the DOS relocation table or be padding, or even be code or data. DUMPBIN rejects the e_lfanew member as a file offset to a new header for a Windows executable, if the member is either zero or would not allow at least four more bytes before the end of the file.
DUMPBIN recognises three types of Windows executable, depending on the first two or four bytes of the new header:
|four bytes||PE and two null bytes||Windows 32-bit executable|
|two bytes||NE||Windows 16-bit executable|
|two bytes||LE||Windows VxD|
Presenting DUMPBIN with a Windows 16-bit executable produces a warning (LNK4095), again with a direction to use the EXEHDR program instead. The file, being identified but unsupported, is thereafter ignored.