Understanding MZ Headers

Authors: Chetan Giridhar, Rahul Verma

image: http://freedigitalphotos.net/

Have you tried opening a binary file in notepad? Try it and you would see a lot of gibberish. Or we should say gibberish for human users but optimised for the software that deals with a given binary format.

Try the same for a PE (Portable Executable) file (Dll/Exe) in a notepad. What do you find? Were you able to read what’s in there?

You can surely read the first two letters “MZ” at the beginning of each of these files! With a little homework you can know that every binary file format starts with what is commonly called as “Magic Bytes”. These are the first 2-3 bytes in the file which tell the type of file. Focus of this small article is not the PE file format as such but on the history of how “MZ” came into being as the magic bytes for PE format and why not something as simple as “PE”?

This article discusses about the file format of the PE files in 32 bit and 64 bit versions of Windows with an emphasis on MZ header section. It aims to inform the readers about a tool (PEViewer) that can help users to read through the MZ header of the PE file.

Read More…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.