Last review: Sept 15,2025

DOS header

The DOS header is located at the very beginning of the file and is represented by the following structure:

CPP

typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
    ...
    LONG   e_lfanew;                    // File address of new exe header
  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

Since we assumed that the PE file is initially in memory at @FILEMEM, this header can be found directly at @FILEMEM.

From a PE loader’s perspective, only one field in this header is important: e_lfanew.

This field contains an offset from the beginning of the file, which is used to locate the NT header. This is useful because there can be arbitrary space between the DOS header and the other headers, as well as between the sections. Thus, the NT header is located at @FILEMEM + e_lfanew

Even though I’m focusing on running an executable, I wouldn’t be surprised if some antivirus or EDR systems check other fields, like e_csum in this header.

← Previous Next →

DOS header ​

DOS header