Understanding MZ Headers

Authors: Chetan Giridhar, Rahul Verma

image: http://freedigitalphotos.net/

Have you tried opening a binary file in notepad? Try it and you would see a lot of gibberish. Or we should say gibberish for human users but optimised for the software that deals with a given binary format.

Try the same for a PE (Portable Executable) file (Dll/Exe) in a notepad. What do you find? Were you able to read what’s in there?

You can surely read the first two letters “MZ” at the beginning of each of these files! With a little homework you can know that every binary file format starts with what is commonly called as “Magic Bytes”. These are the first 2-3 bytes in the file which tell the type of file. Focus of this small article is not the PE file format as such but on the history of how “MZ” came into being as the magic bytes for PE format and why not something as simple as “PE”?

This article discusses about the file format of the PE files in 32 bit and 64 bit versions of Windows with an emphasis on MZ header section. It aims to inform the readers about a tool (PEViewer) that can help users to read through the MZ header of the PE file.

Read More…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s