Monday, June 23, 2014

Determining if a file is an executable (.exe) pro-grammatically.

Ever look at hex dump of a exe file and wonder why it starts with MZ?

ffset:0(0x0)  size:131072( 0x20000 ) dump by http://pedump.me/ 
00000000:  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010:  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030:  00 00 00 00 00 00 00 00  00 00 00 00 e8 00 00 00  |................|
00000040:  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050:  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060:  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070:  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|



Well here's you trivial fact of the day...


In ASCII representation, 0x5A4D is MZ, the initials of Mark Zbikowski, one of the original architects of MS-DOS.

And guess what this is how we determine if this file is an executable, we just check for MZ at the beginning of it.


Why would you do this, well if you create a firewall rule to scan zip files you might want to scan if contains renamed zip files, by checking the "MZ"-ness.

 Here's the code

No comments:

Post a Comment