Remove DOS stub from a PE file

Question

Is it possible to remove the DOS stub and the DOS header from a PE file??

SecurityMatt · Answer 1 · 2013-02-27T19:55:33.060

The PE file must begin with an IMAGE_DOS_HEADER followed at some point by an IMAGE_NT_HEADERS struct that defines the modern PE fields.

The IMAGE_DOS_HEADER has two mandatory fields - e_magic must hold the value IMAGE_DOS_SIGNATURE (which looks like 'MZ' in ASCII) and e_lfanew must be the offset from the start of the file up to the start of the IMAGE_NT_HEADERS.

Apart from these two fields, the rest of the IMAGE_DOS_HEADER is optional for Windows past 16-bit Windows and can be zero, and the DOS stub is optional and can be omitted.

The minimal conformant PE file begins with an IMAGE_DOS_HEADER where e_magic is set to IMAGE_DOS_SIGNATURE and e_lfanew is set to sizeof(IMAGE_DOS_HEADER), followed immediately by the IMAGE_NT_HEADERS.

mox · Answer 2 · 2012-03-11T20:29:01.610

7

Removing the Dos Stub has nothing to do with the Dos header. Yes it is possible to remove the Dos Stub (since it is not used anymore). You can even reduce the size of the Dos header to its minimum (MZ + jump to the PE Header). But you cannot remove the Dos header completely. Otherwise, the Windows loader will refuse to start your image if MZ and the jump to the PE header are missing.

edited Mar 11 '12 at 20:29

answered Mar 11 '12 at 20:21

mox

6,084
2
23
35

You can retrieve the real size of the DOS Stub of any executable image, using PeStudio (http://www.winitor.com) – mox Sep 23 '12 at 10:59
Could the one who downvoted my answer, please be fair and comment the downvote! Thanks. – mox Dec 30 '13 at 12:41

score 4 · Accepted Answer · edited Mar 11 '12 at 20:24

4

There's no easy way to remove it without breaking the file format.

But ehm, found this.

edited Mar 11 '12 at 20:24

abatishchev

98,240
88
296
433

answered Mar 11 '12 at 13:40

Snowflow

149
9

I can break the file format but I need to know how to do that without currupting the exe. – user1232138 Mar 11 '12 at 13:41
2

If you break the file format, then it's not really a PE file any more. You can provide a custom stub. – Raymond Chen Mar 11 '12 at 15:11

score 2 · Answer 4 · answered May 31 '16 at 16:32

2

You can't reduce the size of the Dos header to its "minimum". Unfortunately the length field is the last field in IMAGE_DOS_HEADER. Thus it has a fixed size of 64 bytes.

answered May 31 '16 at 16:32

Christoph Hochstätter

31
3

Indeed. The minimum size for a DOS .exe which just exits is 24 + 5 = 29 bytes. The minimum size of the PE stub is 64 bytes, with the PE header offset stored between byte positions 60 and 64. – pts Jul 21 '20 at 12:21

Remove DOS stub from a PE file

4 Answers4