Eh, not sure what all use this will be but I figured I'd share anyway as I've not seen this trick posted anywhere and it's just a little something I found myself fiddling around.
Anyhow, if you are interested in making a single executable with both a DOS part and Windows part (aka utilizing the stub) so that you have some sort of viable alternative that runs under DOS if that is used (which probably isn't too relavant nowadays, but what the hey?) then here is all you'll need to do for testing your DOS part under Windows.
Use a hex editor (or MS-DOS edit) and reverse the MZ at the first two bytes (should look like ZM) save the file then execute it. It will display the DOS behavior.:)
This works on both NE files (Win16) and PE files (Win32)
I think the reason for this is because ZM is a valid start of a DOS executable (though very rare) but is NOT for a Windows one.
Hence you can test out what the DOS part does of any program this way:)
Anyhow, if you are interested in making a single executable with both a DOS part and Windows part (aka utilizing the stub) so that you have some sort of viable alternative that runs under DOS if that is used (which probably isn't too relavant nowadays, but what the hey?) then here is all you'll need to do for testing your DOS part under Windows.
Use a hex editor (or MS-DOS edit) and reverse the MZ at the first two bytes (should look like ZM) save the file then execute it. It will display the DOS behavior.:)
This works on both NE files (Win16) and PE files (Win32)
I think the reason for this is because ZM is a valid start of a DOS executable (though very rare) but is NOT for a Windows one.
Hence you can test out what the DOS part does of any program this way:)
Afternoon, ShortCoder.
Just tested that out. You're right - it works.
Thanks for the info.
Cheers,
Scronty
Just tested that out. You're right - it works.
Thanks for the info.
Cheers,
Scronty
Nice trick:alright:
You could also just test the DOS stub part without appending a PE exe :p
And yes, ZM is a valid dos signature, some old virii used it to check if they had already infected a file...
And yes, ZM is a valid dos signature, some old virii used it to check if they had already infected a file...
Apparently programmers at Microsoft forgot to test for ZM as well when coding the PE loader.
As I recall, Luevelsmeyer's tutorial on PE files recommended to check for both signatures, but it appears not to be necessary then...
As I recall, Luevelsmeyer's tutorial on PE files recommended to check for both signatures, but it appears not to be necessary then...
And yes, ZM is a valid dos signature, some old virii used it to check if they had already infected a file...
I wonder if a ZM signature triggers any heuristic flags... I think it did for TBAV but I have a very bad memory :P
It has in the past, dunno if it does anymore. But I wouldn't use it anyway.
Actually, 'ZM' is a valid EXE signature before DOS 2.0. I don't have an explanation for why it came to life, but I suspect some people were confused about the byte-order and just put something like mov word ptr ,'MZ'. And, then, DOS had to maintain the compatibility.
It has in the past, dunno if it does anymore. But I wouldn't use it anyway.
For any particular reason? I'm still using that AV, always had a high concept of it. :confused:
Well, I was referring to ZM rather than MZ signature with "wouldn't use it anyway" :). So, TBAV still exists? I stopped using it not too long after the windows version arrived, it didn't work really well imo. ThunderByte was bought by some other company too, wasn't it?
These days it's Kaspersky and F-Prot for me... those are still decent products. Norton AV at the museum even though it sucks, but it catches the email spam and is automated + doesn't cause a fuss.
These days it's Kaspersky and F-Prot for me... those are still decent products. Norton AV at the museum even though it sucks, but it catches the email spam and is automated + doesn't cause a fuss.
mov word ptr ,'MZ'. And, then, DOS had to maintain the compatibility.
Good explanation !
However, this shows a defect in assembler, it is not only a programmer's fault. A good assembler must assemble it properly. (sorry masm :) )
Well, I was referring to ZM rather than MZ signature with "wouldn't use it anyway" :)
LOL! Sorry :grin:
So, TBAV still exists? I stopped using it not too long after the windows version arrived, it didn't work really well imo. ThunderByte was bought by some other company too, wasn't it?
These days it's Kaspersky and F-Prot for me... those are still decent products. Norton AV at the museum even though it sucks, but it catches the email spam and is automated + doesn't cause a fuss.
These days it's Kaspersky and F-Prot for me... those are still decent products. Norton AV at the museum even though it sucks, but it catches the email spam and is automated + doesn't cause a fuss.
Yes, it was. I'm still using my ancient copy of TBAV because it's the only one I know of that still shows you the heuristic flags. F-prot doesn't do that anymore, but it's the one I use for detecting known viruses.
Is Kaspersky's AV freeware? I haven't checked in a long time...
No it's not, but I think there might be a trial version. You don't get (good) things for free these days, anyway. If you're still using an old dos TBAV, you might as well not use antiviral protection I'm afraid...
It's not THAT old... it's for Win95, one of the first. But I couple it with FPROT anyway. :)
I described the trick years ago :)