INT 21 - DOS 2+ - "EXEC" - LOAD AND/OR EXECUTE PROGRAM AH = 4Bh AL = type of load 00h load and execute 01h load but do not execute 03h load overlay (see #01591) 04h load and execute in background (European MS-DOS 4.0 only) "Exec & Go" (see also AH=80h) DS:DX -> ASCIZA NUL-terminated ASCII string. The ASCIZ string "ABC" consists of the four bytes 41h, 42h, 43h, and 00h. Unless otherwise specified, maximum lengths given in the interrupt list do not include the terminating NUL. program name (must include extension) ES:BX -> parameter block (see #01590,#01591,#01592) CX = mode (subfunction 04h only) 0000h child placed in zombie mode after termination 0001h child's return code discarded on termination Return: CF clear if successful BX,DX destroyed if subfunction 01h, process ID set to new program's PSPsee Program Segment Prefix; get with INT 21/AH=62h CF set on error AX = error code (01h,02h,05h,08h,0Ah,0Bh) (see #01680 at AH=59h) Notes: DOS 2.x destroys all registers, including SS:SP under ROM-based DOS, if no disk path characters (colons or slashes) are included in the program name, the name is searched for in the ROM(Read-Only Memory) A memory for program storage which may not be changed by the program as it runs. module headers (see #01595) before searching on disk for functions 00h and 01h, the calling process must ensure that there is enough unallocated memory available; if necessary, by releasing memory with AH=49h or AH=4Ah for function 01h, the AX value to be passed to the child program is put on top of the child's stack for function 03h, DOS assumes that the overlay is being loaded into memory allocated by the caller function 01h was undocumentedInformation about a product which is not publicly available from the manufacturer, and must be determined by reverse-engineering (disassembly, trial-and-error, etc.). Undocumented information tends to change -- often dramatically -- between successive revisions of a product, since the manufacturer has no obligation to maintain compatibility in behavior which is not explicitly stated. prior to the release of DOS 5.0 some versions (such as DR DOS 6.0) check the parameters and parameter block and return an error if an invalid value (such as an offset of FFFFh) is found background programs under European MS-DOS 4.0 must use the new executable format this function ignores the filename extension, instead checking the first two bytes of the file to determine whether there is a valid .EXE header (see #01594); if not, the file is assumed to be in .COM format. If present, the file may be in any of several formats which are extensions of the original .EXE format (see #01593) .COM-format executables begin running with the following register values: AL = 00h if first FCBsee File Control Block has valid drive letter, FFh if not AH = 00h if second FCBsee File Control Block has valid drive letter, FFh if not CS,DS,ES,SS = PSPsee Program Segment Prefix segment SP = offset of last word available in first 64K segment (note: AX is always 0000h under DESQview) old-format executables begin running with the following register values: AL = 00h if first FCBsee File Control Block has valid drive letter, FFh if not AH = 00h if second FCBsee File Control Block has valid drive letter, FFh if not DS,ES = PSPsee Program Segment Prefix segment SS:SP as defined in .EXE header (note: AX is always 0000h under DESQview) new executables begin running with the following register values AX = environment segment BX = offset of command tail in environment segment CX = size of automatic data segment (0000h = 64K) ES,BP = 0000h DS = automatic data segment SS:SP = initial stack the command tail corresponds to an old executable's PSPsee Program Segment Prefix:0081h and following, except that the 0Dh is turned into a NUL (00h); new format executables have no PSPsee Program Segment Prefix under the FlashTek X-32 DOS extender, only function 00h is supported and the pointers are passed in DS:EDX and ES:EBX DR DOS 6 always loads .EXE-format programs with no fixups and .COM-format programs starting with 9Ch 55h (PUSHF/PUSH BP) above the 64K mark to avoid the EXEPACK bug, by extending the memory block containing the program's environment; this code is disabled if the name of the parent program as stored in the MCBsee Memory Control Block is 'WIN'. DR DOS 3.41 and 5.0 check for a valid filename before testing the subfunction number, so the otherwise invalid subfunction 02h will only return error code 01h if the given filename actually exists; otherwise, errors 02h, 03h, or 05h are returned MORE: When creating a command tail, it consists of a length byte followed by the string of characters. It should then be followed with a CR (0x0d) and a NULL (0x00). However, neither the CR or NULL are to be included in the length byte. The command tail will be copied to the program PSPsee Program Segment Prefix when executed. Depending on the DOS manufacturer and version, the PSPsee Program Segment Prefix command tail is limited to 125 or 126 characters plus a Carriage Return. Some DOS versions may set a CMDLINE environment variable that can exceed the limited number of characters supported by the PSPsee Program Segment Prefix. BUGS: DOS 2.00 assumes that DS points at the current program's PSPsee Program Segment Prefix Load Overlay (subfunction 03h) loads up to 512 bytes too many if the file contains additional data after the actual overlay Load but Do Not Execute (subfunction 01h) is reported to corrupt the top word of the caller's stack if the loaded module terminates with INT 21/AH=4Ch in some versions of MS-DOS, including v5.00. SeeAlso: AX=4B05h,AH=4Ch,AH=4Dh,AH=64h/BX=0025h,AH=8Ah,INT 2E,INT 60/DI=0604h Format of EXEC parameter block for AL=00h,01h,04h: Offset Size Description (Table 01590) 00h WORD segment of environment to copy for child process (copy caller's environment if 0000h) 02h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. pointer to command tail to be copied into child's PSPsee Program Segment Prefix 06h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. pointer to first FCBsee File Control Block to be copied into child's PSPsee Program Segment Prefix 0Ah DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. pointer to second FCBsee File Control Block to be copied into child's PSPsee Program Segment Prefix 0Eh DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. (AL=01h) will hold subprogram's initial SS:SP on return 12h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. (AL=01h) will hold entry point (CS:IP(Internet Protocol) The lower level (transport layer) of the TCP/IP protocol suite. See also TCP, TCP/IP.) on return SeeAlso: #01591,#01592 Format of EXEC parameter block for AL=03h: Offset Size Description (Table 01591) 00h WORD segment at which to load overlay 02h WORD relocation factor to apply to overlay if in .EXE format SeeAlso: #01590,#01592 Format of EXEC parameter block for FlashTek X-32: Offset Size Description (Table 01592) 00h PWORDSix bytes. Used to hold an 80386 protected-mode "far" address, consisting of a segment selector and a 32-bit offset, or a Turbo Pascal "real" variable. See also DWORD, QWORD. 48-bit far pointer to environment string 06h PWORDSix bytes. Used to hold an 80386 protected-mode "far" address, consisting of a segment selector and a 32-bit offset, or a Turbo Pascal "real" variable. See also DWORD, QWORD. 48-bit far pointer to command tail string SeeAlso: #01590,#01591 (Table 01593) Values for the executable types understood by various environments: MZThe letters M and Z appear in numerous places in DOS (memory control blocks, .EXE header, etc.); the conventional explanation is that these are the initials of Mark Zbikowski, one of the principal architects of MSDOS 2.0. old-style DOS executable (see #01594) ZM used by some very early DOS linkers, and still supported as an alternate to the MZThe letters M and Z appear in numerous places in DOS (memory control blocks, .EXE header, etc.); the conventional explanation is that these are the initials of Mark Zbikowski, one of the principal architects of MSDOS 2.0. signature by MS-DOS, PCIBM PC DOS, PTS-DOS, and S/DOS NE Windows or OS/2 1.x segmented ("new") executable (see #01596) LE Windows virtual device driver (VxDA virtual device driver for Windows 3.x or 95. So called because nearly all of the Windows 3.0 drivers had names of the form "VdeviceD". See also device driver.) linear executable (see #01609) LX variant of LE used in OS/2 2.x (see #01609) W3 Windows WIN386.EXE file; a collection of LE files W4 Windows95 VMM32.VXD file PE Win32 (Windows NT and Win32s) portable executable based on Unix COFF DL HP 100LX/200LX system manager compliant executable (.EXM) MP old PharLap .EXP (see #01619) P2 PharLap 286 .EXP (see #01620) P3 PharLap 386 .EXP (see #01620) Format of .EXE file header: Offset Size Description (Table 01594) 00h 2 BYTEs .EXE signature, either "MZThe letters M and Z appear in numerous places in DOS (memory control blocks, .EXE header, etc.); the conventional explanation is that these are the initials of Mark Zbikowski, one of the principal architects of MSDOS 2.0." or "ZM" (5A4Dh or 4D5Ah) (see also #01593) 02h WORD number of bytes in last 512-byte page of executable 04h WORD total number of 512-byte pages in executable (includes any partial last page) 06h WORD number of relocation entries 08h WORD header size in paragraphs 0Ah WORD minimum paragraphs of memory required to allocate in addition to executable's size 0Ch WORD maximum paragraphs to allocate in addition to executable's size 0Eh WORD initial SS relative to start of executable 10h WORD initial SP 12h WORD checksum (one's complement of sum of all words in executable) 14h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. initial CS:IP(Internet Protocol) The lower level (transport layer) of the TCP/IP protocol suite. See also TCP, TCP/IP. relative to start of executable 18h WORD offset within header of relocation table 40h or greater for new-format (NE,LE,LX,W3,PE,etc.) executable 1Ah WORD overlay number (normally 0000h = main program) ---new executable--- 1Ch 4 BYTEs ??? 20h WORD behavior bits 22h 26 BYTEs reserved for additional behavior info 3Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of new executable (NE,LE,etc) header within disk file, or 00000000h if plain MZThe letters M and Z appear in numerous places in DOS (memory control blocks, .EXE header, etc.); the conventional explanation is that these are the initials of Mark Zbikowski, one of the principal architects of MSDOS 2.0. executable ---Borland TLINK--- 1Ch 2 BYTEs ??? (apparently always 01h 00h) 1Eh BYTE signature FBh 1Fh BYTE TLINK version (major in high nybble, minor in low nybble) 20h 2 BYTEs ??? (v2.0 apparently always 72h 6Ah, v3.0+ seems always 6Ah 72h) ---ARJ self-extracting archive--- 1Ch 4 BYTEs signature "RJSX" (older versions, new signature is "aRJsfX" in the first 1000 bytes of the file) ---LZEXE 0.90 compressed executable--- 1Ch 4 BYTEs signature "LZ09" ---LZEXE 0.91 compressed executable--- 1Ch 4 BYTEs signature "LZ91" ---PKLITE compressed executable--- 1Ch BYTE minor version number 1Dh BYTE bits 0-3: major version bit 4: extra compression bit 5: huge (multi-segment) file 1Eh 6 BYTEs signature "PKLITE" (followed by copyright message) ---LHarc 1.x self-extracting archive--- 1Ch 4 BYTEs unused??? 20h 3 BYTEs jump to start of extraction code 23h 2 BYTEs ??? 25h 12 BYTEs signature "LHarc's SFX " ---LHA 2.x self-extracting archive--- 1Ch 8 BYTEs ??? 24h 10 BYTEs signature "LHa's SFX " (v2.10) or "LHA's SFX " (v2.13) ---TopSpeed C 3.0 CRUNCH compressed file--- 1Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. 018A0001h 20h WORD 1565h ---PKARCK 3.5 self-extracting archive--- 1Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. 00020001h 20h WORD 0700h ---BSA (Soviet archiver) self-extracting archive--- 1Ch WORD 000Fh 1Eh BYTE A7h ---LARC self-extracting archive--- 1Ch 4 BYTEs ??? 20h 11 BYTEs "SFX by LARC " ---LH self-extracting archive--- 1Ch 8 BYTEs ??? 24h 8 BYTEs "LH's SFX " ---RAR self-extracting archive--- 1Ch 4 BYTEs signature "RSFX" ---other linkers--- 1Ch var optional information --- N N DWORDs relocation items each is the segment:offset from start of load image at which to add the actual load segment to the indicated WORD Notes: if the word at offset 02h is 4, it should be treated as 00h, since pre-1.10 versions of the MS linker set it that way if both minimum and maximum allocation (offset 0Ah/0Ch) are zero, the program is loaded as high in memory as possible (DOS only checks the maximum allocation, however) the maximum allocation is set to FFFFh by default additional data may be contained in the file beyond the end of the load image described by the .EXE header; this data may be overlays, the actual executable for newer-format executables, or debugging information (see #01600,#01624) relocations entries need not be in any particular order, although they are typically stored in order from beginning to end of the load image SeeAlso: #01596 Format of ROM(Read-Only Memory) A memory for program storage which may not be changed by the program as it runs. Module Header: Offset Size Description (Table 01595) 00h 2 BYTEs ROM(Read-Only Memory) A memory for program storage which may not be changed by the program as it runs. signature 55h, AAh 02h BYTE size of ROM(Read-Only Memory) A memory for program storage which may not be changed by the program as it runs. in 512-byte blocks 03h 3 BYTEs POSTsee Power-On Self-Test initialization entry point (near JMP instruction) 06h ROM(Read-Only Memory) A memory for program storage which may not be changed by the program as it runs. Program Name List [array] Offset Size Description 00h BYTE length of ROM(Read-Only Memory) A memory for program storage which may not be changed by the program as it runs. program's name (00h if end of name list) 01h N BYTEs program name N+1 3 BYTEs program entry point (near JMP instruction) Format of new executable header: Offset Size Description (Table 01596) 00h 2 BYTEs "NE" (4Eh 45h) signature 02h 2 BYTEs linker version (major, then minor) 04h WORD offset from start of this header to entry table (see #01603) 06h WORD length of entry table in bytes 08h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. file load CRC (0 in Borland's TPW) 0Ch BYTE program flags (see #01597) 0Dh BYTE application flags (see #01598) 0Eh WORD auto data segment index 10h WORD initial local heap size 12h WORD initial stack size (added to data seg, 0000h if SS <> DS) 14h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. program entry point (CS:IP(Internet Protocol) The lower level (transport layer) of the TCP/IP protocol suite. See also TCP, TCP/IP.), "CS" is index into segment table 18h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. initial stack pointer (SS:SP), "SS" is segment index if SS=automatic data segment and SP=0000h, the stack pointer is set to the top of the automatic data segment, just below the local heap 1Ch WORD segment count 1Eh WORD module reference count 20h WORD length of nonresident names table in bytes 22h WORD offset from start of this header to segment table (see #01601) 24h WORD offset from start of this header to resource table 26h WORD offset from start of this header to resident names table 28h WORD offset from start of this header to module reference table 2Ah WORD offset from start of this header to imported names table (array of counted strings, terminated with a string of length 00h) 2Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset from start of file to nonresident names table 30h WORD count of moveable entry point listed in entry table 32h WORD file alignment size shift count 0 is equivalent to 9 (default 512-byte pages) 34h WORD number of resource table entries 36h BYTE target operating system 00h unknown 01h OS/2 02h Windows 03h European MS-DOS 4.x 04h Windows 386 05h BOSS (Borland Operating System Services) 81h PharLap 286|DOS-Extender, OS/2 82h PharLap 286|DOS-Extender, Windows 37h BYTE other EXE flags (see #01599) 38h WORD offset to return thunks or start of gangload area 3Ah WORD offset to segment reference thunks or length of gangload area 3Ch WORD minimum code swap area size 3Eh 2 BYTEs expected Windows version (minor version first) Note: this header is documented in detail in the Windows 3.1 SDK Programmer's Reference, Vol 4. SeeAlso: #01594 Bitfields for new executable program flags: Bit(s) Description (Table 01597) 0-1 DGROUP type 0 = none 1 = single shared 2 = multiple (unshared) 3 = (null) 2 global initialization 3 protected mode only 4 8086 instructions 5 80286 instructions 6 80386 instructions 7 80x87 instructions Bitfields for new executable application flags: Bit(s) Description (Table 01598) 0-2 application type 001 full screen (not aware of Windows/P.M. API(Application Program[ming] Interface) The defined set of calls which a program may make to interact with or request services of the operating system or environment under which it is running. Because the inputs and outputs of the calls are well-defined, a program using the API can continue using the identical calls even if the internal organization of the program providing the API changes.) 010 compatible with Windows/P.M. API(Application Program[ming] Interface) The defined set of calls which a program may make to interact with or request services of the operating system or environment under which it is running. Because the inputs and outputs of the calls are well-defined, a program using the API can continue using the identical calls even if the internal organization of the program providing the API changes. 011 uses Windows/P.M. API(Application Program[ming] Interface) The defined set of calls which a program may make to interact with or request services of the operating system or environment under which it is running. Because the inputs and outputs of the calls are well-defined, a program using the API can continue using the identical calls even if the internal organization of the program providing the API changes. 3 is a Family Application (OS/2) 5 0=executable, 1=errors in image 6 non-conforming program (valid stack is not maintained) 7 DLLsee Dynamic Link Library or driver rather than application (SS:SP info invalid, CS:IP(Internet Protocol) The lower level (transport layer) of the TCP/IP protocol suite. See also TCP, TCP/IP. points at FAR init routine called with AX=module handle which returns AX=0000h on failure, AX nonzero on successful initialization) Bitfields for other new .EXE flags: Bit(s) Description (Table 01599) 0 supports long filenames 1 2.X protected mode 2 2.X proportional font 3 gangload area Format of Codeview trailer (at end of executable): Offset Size Description (Table 01600) 00h WORD signature 4E42h ('NB') 02h WORD Microsoft debug info version number 04h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. Codeview header offset SeeAlso: #01624 Format of new executable segment table record: Offset Size Description (Table 01601) 00h WORD offset in file (shift left by alignment shift to get byte offs) 02h WORD length of image in file (0000h = 64K) 04h WORD segment attributes (see #01602) 06h WORD number of bytes to allocate for segment (0000h = 64K) Note: the first segment table entry is entry number 1 SeeAlso: #01604 Bitfields for segment attributes: Bit(s) Description (Table 01602) 0 data segment rather than code segment 1 unused??? 2 real mode 3 iterated 4 movable 5 sharable 6 preloaded rather than demand-loaded 7 execute-only (code) or read-only (data) 8 relocations (directly following code for this segment) 9 debug info present 10,11 80286 DPLsee DOS Parameter List bits 12 discardable 13-15 discard priority Format of new executable entry table item (list): Offset Size Description (Table 01603) 00h BYTE number of entry points (00h if end of entry table list) 01h BYTE segment number (00h if end of entry table list) 02h 3N BYTEs entry records Offset Size Description 00h BYTE flags bit 0: exported bit 1: single data bits 2-7: unused??? 01h WORD offset within segment Format of new executable relocation data (immediately follows segment image): Offset Size Description (Table 01604) 00h WORD number of relocation items 02h 8N BYTEs relocation items Offset Size Description 00h BYTE relocation type 00h LOBYTE 02h BASE 03h PTR 05h OFFS 0Bh PTR48 0Dh OFFS32 01h BYTE flags bit 2: additive 02h WORD offset within segment 04h WORD target address segment 06h WORD target address offset SeeAlso: #01601,#01605 Format of new executable resource data: Offset Size Description (Table 01605) 00h WORD alignment shift count for resource data 02h N RECORDs resources Format of resource record: Offset Size Description 00h WORD type ID 0000h if end of resource records >= 8000h if integer type else offset from start of resource table to type string 02h WORD number of resources of this type 04h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. reserved for runtime use 08h N Resources (see #01606) Note: resource type and name strings are stored immediately following the resource table, and are not null-terminated SeeAlso: #01606 Format of new executable resource entry: Offset Size Description (Table 01606) 00h WORD offset in alignment units from start of file to contents of the resource data 02h WORD length of resource image in bytes 04h WORD flags bit 4: moveable bit 5: shareable bit 6: preloaded 06h WORD resource ID >= 8000h if integer resource else offset from start of resource table to resource string 08h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. reserved for runtime use Notes: resource type and name strings are stored immediately following the resource table, and are not null-terminated strings are counted strings, with a string of length 0 indicating the end of the resource table SeeAlso: #01605,#01607 Format of new executable module reference table [one bundle of entries]: Offset Size Description (Table 01607) 00h BYTE number of records in this bundle (00h if end of table) 01h BYTE segment indicator 00h unused FFh movable segment, segment number is in entry else segment number of fixed segment 02h N RECORDs Format of segment record Offset Size Description 00h BYTE flags bit 0: entry is exported bit 1: entry uses global (shared) data bits 7-3: number of parameter words ---fixed segment--- 01h WORD offset ---moveable segment--- 01h 2 BYTEs INT 3F instruction (CDh 3Fh) 03h BYTE segment number 05h WORD offset Note: table entries are numbered starting from 1 SeeAlso: #01608 Format of new executable resident/nonresident name table entry: Offset Size Description (Table 01608) 00h BYTE length of string (00h if end of table) 01h N BYTEs ASCII text of string N+1 WORD ordinal number (index into entry table) Notes: the first string in the resident name table is the module name; the first entry in the nonresident name table is the module description the strings are case-sensitive; if the executable was linked with /IGNORECASE, all strings are in uppercase SeeAlso: #01607 Format of Linear Executable (enhanced mode executable) header: Offset Size Description (Table 01609) 00h 2 BYTEs "LE" (4Ch 45h) signature (Windows) "LX" (4Ch 58h) signature (OS/2) 02h BYTE byte order (00h = little-endian, nonzero = big-endian) 03h BYTE word order (00h = little-endian, nonzero = big-endian) 04h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. executable format level 08h WORD CPU(Central Processing Unit) The microprocessor which executes programs on your computer. type (see also INT 15/AH=C9h) 01h Intel 80286 or upwardly compatible 02h Intel 80386 or upwardly compatible 03h Intel 80486 or upwardly compatible 04h Intel Pentium (80586) or upwardly compatible 20h Intel i860 (N10) or compatible 21h Intel "N11" or compatible 40h MIPS Mark I (R2000, R3000) or compatible 41h MIPS Mark II (R6000) or compatible 42h MIPS Mark III (R4000) or compatible 0Ah WORD target operating system 01h OS/2 02h Windows 03h European DOS 4.0 04h Windows 386 0Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. module version 10h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. module type (see #01610) 14h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. number of memory pages 18h Initial CS:EIP DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. object number DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset 20h Initial SS:ESP DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. object number DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset 28h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. memory page size 2Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. (Windows LE) bytes on last page (OS/2 LX) page offset shift count 30h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. fixup section size 34h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. fixup section checksum 38h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. loader section size 3Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. loader section checksum 40h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of object table (see #01611) 44h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. object table entries 48h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. object page map table offset (see #01613) 4Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. object iterate data map offset 50h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. resource table offset 54h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. resource table entries 58h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. resident names table offset (see #01614) 5Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. entry table offset (see #01615,#01616) 60h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. module directives table offset 64h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. Module Directives entries 68h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. Fixup page table offset 6Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. Fixup record table offset (see #01618) 70h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. imported modules name table offset 74h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. imported modules count 78h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. imported procedures name table offset 7Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. per-page checksum table offset 80h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. data pages offset 84h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. preload page count 88h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. non-resident names table offset 8Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. non-resident names table length 90h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. non-resident names checksum 94h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. automatic data object 98h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. debug information offset 9Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. debug information length A0h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. preload instance pages number A4h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. demand instance pages number A8h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. extra heap allocation ACh 12 BYTEs reserved B8h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of VERSIONINFO resource (MS-Windows VxDA virtual device driver for Windows 3.x or 95. So called because nearly all of the Windows 3.0 drivers had names of the form "VdeviceD". See also device driver. only) BCh DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. pointer to ??? (dynamically-loadable VxDs only???) C0h WORD device ID (MS-Windows VxDA virtual device driver for Windows 3.x or 95. So called because nearly all of the Windows 3.0 drivers had names of the form "VdeviceD". See also device driver. only) C2h WORD DDK version (MS-Windows VxDA virtual device driver for Windows 3.x or 95. So called because nearly all of the Windows 3.0 drivers had names of the form "VdeviceD". See also device driver. only) Note: used by EMM386.EXE, QEMM, and Windows 3.0 Enhanced Mode drivers Bitfields for Linear Executable module type: Bit(s) Description (Table 01610) 2 initialization (only for DLLs) 0 = global, 1 = per-process 4 no internal fixups in executable image 5 no external fixups in executable image 8-10 API(Application Program[ming] Interface) The defined set of calls which a program may make to interact with or request services of the operating system or environment under which it is running. Because the inputs and outputs of the calls are well-defined, a program using the API can continue using the identical calls even if the internal organization of the program providing the API changes. compatibility 0 = unknown 1 = incompatible with PM windowing \ 2 = compatible with PM windowing > (only for 3 = uses PM windowing API(Application Program[ming] Interface) The defined set of calls which a program may make to interact with or request services of the operating system or environment under which it is running. Because the inputs and outputs of the calls are well-defined, a program using the API can continue using the identical calls even if the internal organization of the program providing the API changes. / programs) 13 module not loadable (only for programs) 15-17 module type 000 program 001 library (DLLsee Dynamic Link Library) 011 protected memory library module 100 physical device driver 110 virtual device driver 30 per-process library termination (requires valid CS:EIP, can't be set for .EXE) Format of object table entry: Offset Size Description (Table 01611) 00h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. virtual size in bytes 04h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. relocation base address 08h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. object flags (see #01612) 0Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. page map index 10h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. page map entries (see #01613) 14h 4 BYTEs reserved??? (apparently always zeros) Bitfields for object flags: Bit(s) Description (Table 01612) 0 readable 1 writable 2 executable 3 resource 4 discardable 5 shared 6 preloaded 7 invalid 8-9 type 00 normal 01 zero-filled 10 resident 11 resident and contiguous 10 resident and long-lockable 11 reserved 12 16:16 alias required 13 "BIG" (Huge: 32-bit) 14 conforming 15 "OBJECT_I/O_PRIVILEGE_LEVEL" 16-31 reserved Format of object page map table entry: Offset Size Description (Table 01613) 00h BYTE ??? (usually 00h) 01h WORD (big-endian) index to fixup table 0000h if no relocation info 03h BYTE type (00h hard copy in file, 03h some relocation needed) Format of resident names table entry: Offset Size Description (Table 01614) 00h BYTE length of name 01h N BYTEs name N+1 3 BYTEs ??? Format of LE linear executable entry table: Offset Size Description (Table 01615) 00h BYTE number of entries in table 01h 10 BYTEs per entry Offset Size Description 00h BYTE bit flags bit 0: non-empty bundle bit 1: 32-bit entry 01h WORD object number 03h BYTE entry type flags bit 0: exported bit 1: uses single data rather than instance bit 2: reserved bits 3-7: number of stack parameters 04h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of entry point 08h 2 BYTEs ??? Note: empty bundles (bit flags at 00h = 00h) are used to skip unused indices, and do not contain the remaining nine bytes Format of LX linear executable entry table [array]: Offset Size Description (Table 01616) 00h BYTE number of bundles following (00h = end of entry table) 01h BYTE bundle type 00h empty 01h 16-bit entry 02h 286 callgate entry 03h 32-bit entry 04h forwarder entry bit 7 set if additional parameter typing information is present ---bundle type 00h--- no additional fields ---bundle type 01h--- 02h WORD object number 04h BYTE entry flags bit 0: exported bits 7-3: number of stack parameters 05h WORD offset of entry point in object (shifted by page size shift) ---bundle type 02h--- 02h WORD object number 04h BYTE entry flags bit 0: exported bits 7-3: number of stack parameters 05h WORD offset of entry point in object 07h WORD reserved for callgate selector (used by loader) ---bundle type 03h--- 02h WORD object number 04h BYTE entry flags bit 0: exported bits 7-3: number of stack parameters 05h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of entry point in object ---bundle type 04h--- 02h WORD reserved 04h BYTE forwarder flags bit 0: import by ordinal bits 7-1 reserved 05h WORD module ordinal (forwarder's index into Import Module Name table) 07h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. procedure name offset or import ordinal number Note: all fields after the first two bytes are repeated N times Bitfields for linear executable fixup type: Bit(s) Description (Table 01617) 7 ordinal is BYTE rather than WORD 6 16-rather than 8-object number/module ordinal 5 addition with DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. rather than WORD 4 relocation info has size with new two bytes at end 3 reserved (0) 2 set if add to destination, clear to replace destination 1-0 type 00 internal fixup 01 external fixup, imported by ordinal 10 external fixup, imported by name 11 internal fixup via entry table Format of linear executable fixup record: Offset Size Description (Table 01618) 00h BYTE type bits 7-4: modifier (0001 single, 0011 multiple) bits 3-0: type 0000 byte offset 0010 word segment 0011 16-bit far pointer (DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address.) 0101 16-bit offset 0110 32-bit far pointer (PWORDSix bytes. Used to hold an 80386 protected-mode "far" address, consisting of a segment selector and a 32-bit offset, or a Turbo Pascal "real" variable. See also DWORD, QWORD.) 0111 32-bit offset 1000 near call or jump, WORD/DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. based on seg attrib 01h BYTE linear executable fixup type (see #01617) ---if single type--- 02h WORD offset within page 04h relocation information ---internal fixup--- BYTE object number ---external,ordinal--- BYTE one-based module number in Import Module table BYTE/WORD ordinal number WORD/DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. value to add (only present if modifier bit 4 set) ---external,name--- BYTE one-based module number in Import Module table WORD offset in Import Procedure names WORD/DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. value to add (only present if modifier bit 4 set) ---if multiple type--- 02h BYTE number of items 03h var relocation info as for "single" type (above) N WORDs offsets of items to relocate Format of old Phar Lap .EXP file header: Offset Size Description (Table 01619) 00h 2 BYTEs "MP" (4Dh 50h) signature 02h WORD remainder of image size / page size (page size = 512h) 04h WORD size of image in pages 06h WORD number of relocation items 08h WORD header size in paragraphs 0Ah WORD minimum number of extra 4K pages to be allocated at the end of program, when it is loaded 0Ch WORD maximum number of extra 4K pages to be allocated at the end of program, when it is loaded 0Eh DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. initial ESP 12h WORD word checksum of file 14h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. initial EIP 18h WORD offset of first relocation item 1Ah WORD overlay number 1Ch WORD ??? (wants to be 1) SeeAlso: #01620 Format of new Phar Lap .EXP file header: Offset Size Description (Table 01620) 00h 2 BYTEs signature ("P2" for 286 .EXP executable, "P3" for 386 .EXP) 02h WORD level (01h flat-model file, 02h multisegmented file) 04h WORD header size 06h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. file size in bytes 0Ah WORD checksum 0Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of run-time parameters within file (see #01622) 10h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of run-time parameters in bytes 14h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of relocation table within file 18h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of relocation table in bytes 1Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of segment information table within file (see #01621) 20h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of segment information table in bytes 24h WORD size of segment information table entry in bytes 26h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of load image within file 2Ah DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of load image on disk 2Eh DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of symbol table within file or 00000000h 32h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of symbol table in bytes 36h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of GDT within load image 3Ah DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of GDT in bytes 3Eh DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of LDT within load image 42h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of LDT in bytes 46h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of IDTsee Interrupt Descriptor Table within load image 4Ah DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of IDTsee Interrupt Descriptor Table in bytes 4Eh DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of TSS within load image 52h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of TSS in bytes 56h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. minimum number of extra bytes to be allocated at end of program (level 1 executables only) 5Ah DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. maximum number of extra bytes to be allocated at end of program (level 1 executables only) 5Eh DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. base load offset (level 1 executables only) 62h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. initial ESP 66h WORD initial SS 68h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. initial EIP 6Ch WORD initial CS 6Eh WORD initial LDT 70h WORD initial TSS 72h WORD flags bit 0: load image is packed bit 1: 32-bit checksum is present bits 4-2: type of relocation table 74h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. memory requirements for load image 78h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. 32-bit checksum (optional) 7Ch DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of stack segment in bytes 80h 256 BYTEs reserved (0) SeeAlso: #01619,#01623 Format of Phar Lap segment information table entry: Offset Size Description (Table 01621) 00h WORD selector number 02h WORD flags 04h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. base offset of selector 08h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. minimum number of extra bytes to be allocated to the segment Format of 386|DOS-Extender run-time parameters: Offset Size Description (Table 01622) 00h 2 BYTEs signature "DX" (44h 58h) 02h WORD minimum number of real-mode params to leave free at run time 04h WORD maximum number of real-mode params to leave free at run time 06h WORD minimum interrupt buffer size in KB 08h WORD maximum interrupt buffer size in KB 0Ah WORD number of interrupt stacks 0Ch WORD size in KB of each interrupt stack 0Eh DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset of byte past end of real-mode code and data 12h WORD size in KB of call buffers 14h WORD flags bit 0: file is virtual memory manager bit 1: file is a debugger 16h WORD unprivileged flag (if nonzero, executes at ring 1, 2, or 3) 18h 104 BYTEs reserved (0) Format of Phar Lap repeat block header: Offset Size Description (Table 01623) 00h WORD byte count 02h BYTE repeat string length Format of Borland debugging information header (following load image): Offset Size Description (Table 01624) 00h WORD signature 52FBh 02h WORD version ID 04h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of name pool in bytes 08h WORD number of names in name pool 0Ah WORD number of type entries 0Ch WORD number of structure members 0Eh WORD number of symbols 10h WORD number of global symbols 12h WORD number of modules 14h WORD number of locals (optional) 16h WORD number of scopes in table 18h WORD number of line-number entries 1Ah WORD number of include files 1Ch WORD number of segment records 1Eh WORD number of segment/file correlations 20h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. size of load image after removing uninitialized data and debug information 24h DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. debugger hook; pointer into debugged program whose meaning depends on program flags 28h BYTE program flags bit 0: case-sensitive link bit 1: pascal overlay program 29h WORD no longer used 2Bh WORD size of data pool in bytes 2Dh BYTE padding 2Eh WORD size of following header extension (currently 00h, 10h, or 20h) 30h WORD number of classes 32h WORD number of parents 34h WORD number of global classes (currently unused) 36h WORD number of overloads (currently unused) 38h WORD number of scope classes 3Ah WORD number of module classes 3Ch WORD number of coverage offsets 3Eh DWORDDoubleword; four bytes. Commonly used to hold a 32-bit segment:offset or selector:offset address. offset relative to symbol base of name pool 42h WORD number of browser information records 44h WORD number of optimized symbol records 46h WORD debugging flags 48h 8 BYTEs padding Note: additional information on the Borland debugging info may be found in Borland's Open Architecture Handbook SeeAlso: #01600